Jonathan Creekmore and Michael Edie - Hide and Seek with EMET

and uh uh especially the ones where I actually like stayed for the whole talk uh this have been really awesome so like Paul melson I don't know if you caught that just now uh but that was a pretty awesome talk uh we had them in here today I don't know if any of you were here earlier where we had you know people sitting on the floor so I mean it's it's just been a really good day uh and really happy they dog to be a part of it uh got a t-shirt to giveway uh first person you raise their hand and tell me who sponsored the CTF right here keep oh you gotta pronounce it

right okay and then um let me think let me think of a good one uh which sponsor gave away the little stuffed onions all right ready all right off the network card okay so uh we sa the best last uh here in this track so I have for you John Creek and my BL go [Applause] all right thanks Phil Phil works really hard everybody with a lot of things here so um besides board or Issa security Union Solutions and a lot of things in the community just as a a person here so thanks Phil so my name is John Creekmore this is uh Micha Le he's my uh co- prisoner we're going to be talking today

about hideand-seek with init so this is a defensive track talk for the most part if anybody hasn't seen that yet coming we're going to talk a little bit more today about uh the enhanced mitigation experience toad so this is a free solution that Microsoft has they've had it for SLE years now a lot of people have it in their environments by show of hand how many people have actually deployed this tool before okay so how many people feel that they are pretty comfortable with using this tool okay cool PL and then uh another thing how many people feel they really know this tool okay oh good very good nice nice um a lot of people it's one of those things

it seems like Mike and I talked about it where there's a lot of times people people are using EMT but they don't really understand fully how it's deployed how to control it how to manage it and how to push it through their environments so um this is our agenda today we're going to talk about pretty much the overview of EMT what it can do for us uh we're going to go into using it defense and security historical issues we're going to talk a little bit of some of the flaws in the past that M has had and a myriad of things that Microsoft has done to try to keep it going it is a free tool it's not

something that you know there's a great amount of resources and budgets going and so you know if you know how to use it right it's a very good solution uh that they provide you for free and msrc the Microsoft security Research Center is doing a great amount of things right now to push it Forward because as many people know we're looking at uh you know some Next Generation Windows stuff coming out of the Woodworks and uh net core is going open source there's a lot of things going on right now with Windows making it more interoperable across platform from client if You' heard a server core coming out so a lot of people are thinking what are we doing

moving forward to maintain this tool and then uh Michael's going to give uh pretty much the demo where he's going to break everything down um show you some things about emid show you that it works show you that it doesn't sometimes and U obviously how to use it more effectively and then we'll go into discussion and questions quickly so okay that's $20 worth of metrics um no that's not because why this is up here you're not going to get this all in a day there's a lot of things to use M for people think that this is one of those tool where you can just very quickly quantify your return on investment for using it you want but

absolutely for coming here today we hope that you're going to go back and have a game plan for you're going to use this more effectively as well as uh if you do have an environment where you train others train them as well thanks all right so uh I don't really have cool handles uh recently uh Mr reboots nickname I got from a lot of people uh a little bit about me so before coming here I was in Seattle used to spend a lot of time with it devel guys out there out of Redman um so they really good Community if you ever get the chance to actually head out to Redman bellw Washington stop by some of

their meetings they have like meetups and stuff a couple hundred developers get together and really just hatch out a lot of things um college is cool uh I do a lot of things with Charities for the most part and uh yeah they got some professional cool stuff that I've done um and right now I'm I'm working as a chief security officer director of Information Technology on a board for a vure capital um so next all right so that's a little bit about me uh you can read the slides it's pretty self-explanatory uh if you haven't heard of smash the stack is basically a vulnerability uh Network you can go in there and do war games so buff overflows

all the different vulnerabilities you can think about format strings off by ones I mean you name it uh we also have a web web app uh pent testing and uh we have an IRC channel so most of you have heard of it if you haven't go to smash. org uh check it out and that's me all right so uh we're going to break into defining a little bit more about EMT explaining it better in detail so what it is and why you should care all right so basically looking back uh the enhanc ne experience toolkit one of the things about this is a lot of people don't really understand what it's intended for Microsoft officially

originally was brought forward to the front so that way we could actually maintain a lot of legy applications um out there in the wild a lot of people running older server editions they have applications that are proprietary third party they have to maintain them it's not as simple as saying hey I'm going to go ahead update my operating system patch everything forward on Tuesday and hey we're going to go um there was a lot of issues that we could not just maintain moving forward especially with the jump to 64-bit application architectures so Microsoft security Research Center was saying hey what can we do to try to bring some of the software patching I don't want that

patching per se but it was the mentality of say okay what can we do still in Legacy systems uh to protect against Advanced memory exploits um and vulnerabilities out there so they came up with EMT for that purpose and it's free still maintain as we stated um mitigates ver abilities and software so software fall ver abilities M Le protection um we're going to break into that slide later on here in a little bit U and explain more about the actual security controls for it and then uh cyber tax Target corruption so a lot of things working with rck tax so return oriented programming and all we'll discuss that farther next all right so uh command line so em

has a command line for a lot of people who like to administrate to the command line uh that's up to you uh there's different things that you need to know about working with the command line of course it does have a guey um for the most part people how many people have actually worked in the M GUI okay cool how many people work at the M command line really okay well no that's good that's good um hopefully share that with some of these folks it's it's quicker if you know what you're doing with it it's really rapid to deploy it Michael will show that in his demo um and also change your configurations relas to manage there on the command

line too and it can Aid in detecting targeted attacks a lot of people don't really use IM uh at the Cyber intelligence level layer a to the OSI right um when you talk about emit you have granular control so you can actually break down every single process control uh memory protection uh control that they have that em can do um for these dlls and all these processes so uh when you use that effectively that can help a right so we're talking about hey maybe I want to see if my browsers are having um certain types of attacks protection right so you can go in there you can turn it on you can turn it off

and then that can help you with troubleshooting you can take it another step forward and with emit you can actually control how certain applications are going to utilize emt's functions and then uh heavy on memory protection but also SSL pinning so yeah SSL pinning is one of the things that people don't really dive into has anybody actually used it like like really like this is save my environment be as well here right so SSL pinning Microsoft digitally certified websites how many is there um explicitly Microsoft has several it's not very large though it's very low quantity of of pre-certified websites you can work with getting more in there but it's it's really just uh something they're they're

working actively on right now you know building into that function so uh next slide please all right so this is a breakdown um this is came from CBS security because youb more than you do that's really cool but anyways this is actually the breakdown of all the mitigation efforts that em Works towards these are all the different types of memory controls and infections and every one of these is able to be turned off and turned on some of the more uh common ones that you're going to probably talk about today in the demo is working with everything that works with return oriented programming so breaking that down return ored programing it's going to work a lot at stack pivots uh

execution flow where things are getting called in from so the caller checks memory protection functions to make sure that we're not executing things from areas of memory that's you know not supposed to be marked as read write maybe it's only read only what's going on with that um so we're not going to kill that next slide that's all on Microsoft's official documentation by the way all right so using init with defenses so how are we going to actually get into talking about this so what cyber protection does it Prov 32bit Legacy applications that were older we covered this already a bit uh hat compile with older compil this is very common so Michael works a lot with

compiling and uh he knows more than I do about this to be fair but in theet world as AET coder um how many you got programmers in the room Wonder okay well great awesome stand yeah get excited he so for real we're very visual people we work a lot in ide you know like hey Visual Studio well Microsoft this is why we have conferences called um so no really though the thing about it is we've been very dependent on allowing these IDE to you know pretty much automate the compiling process for years for us so a lot of people that are out in the wild developing applications um they don't really get deep into understanding the

compilation process the just time Bor everything else does a lot for us we really focus a little bit more on the pro programming logic of applications um and features that they provide to the end user so a lot of the older compilers are compiling you know all these applications they don't have certain protection functions in like that for example is very common moving into the about the time where we have 64 bit coming around marcket so people still use these every day I don't know I've done this job for 10 years and you know we still have applications that are being pushed out now 30 to bit even today and they don't have excuse perion

included so uh Microsoft and non Microsoft software that's a big thing it doesn't have to be Enterprise class protections it will absolutely work to protect 32-bit applications as well 64-bit that are third party but you need to be cognizant of understanding that Microsoft can't absolutely say what third party out are going to do for you it may actually cause complex um functionally so it may crash them trying to protect them and memory can actually cause them not to work so just be cognizant of that and then uh NET Framework is course it's required. net next all right so this is just kind of a continuation um New Tricks old platforms really that's it's not a one trick pony

though just be understanding of that and then line of business apps a real big thing today we talked about that too um how many people work with manag security or work with as MSP manage services for it okay so okay one two okay so how many times do you have a customer client that's like hey you know I've got this thing in my envirment I don't know what it does it's a popup window it's annoying can you just turn it off all right okay yeah all the time with that it so and people generally just disable it Michael's going to show you in the demo though like what you can do to actually um not just Nuke Em it but to

use more effectively and then you can of course opt into all its functions for every single critical protection thanks all right so the mitigations uh we're going to focus on the Rock stuff um for the Dem self-explanatory if this is like a higher level of like you know computer science stuff or whatever then uh you know please go back check them all out there's not going to ever be a shortcut with if you're going to start working in it using it effectively correctly you need to understand and take the time to do the homework basically on all of these security controls we're not saying that you got to go dig in the weeds and understand

how memory works and how we've written everything at operating system level you just need to know kind of the functional use of each one of these protections so of course when we're talking about rock stuff like colar checks like I said earlier we're making sure these critically protected functions aren't being called in from other libraries and stuff that aren't relevant to where should actually be executed from um looking at Sy flow s flow is kind of cool U because what it does is it's actually going to run through the process of execution steps a couple of times so think about looking into the future like okay let me see where this is going Bam Bam Bam okay it really

shouldn't be getting called as a you know a jump and return I'm off the stack which obviously command some memory around so and then little Library check is really cool uh that happens a lot with LLC people try to start pulling uh hackers right so they'll write these exploits to try to start pulling things out of memory that comes from all sorts of other applications you've got like something like Windows update running in the background it's got these really cool gadgets your little short pieces of code and memory that's already loaded from some other process a legitimate function and you're trying to attack a certain process so they try to reach out there and say Hey I want you goad and

load in something that I can use it's a legitimate um you know item in memory for Windows right now and it shouldn't think that this is a regular so um don't really worry so much about what's on the left side I mean you have to understand all these but for the top you should be on the right side next all right so risk to using EMT a lot of people uh tend to forget that there are some some nuances with it of course if I start wrapping some of your memory the way it was coded or programmed you may you know use functions from places uh one of the things is the commands that are issued

instead of using call checks or jumper return um it can also cause your application to crash and then um production environment I think it's pretty self-explanatory I I want to put on the slid because it's more of an operational control but of course in it it is good it can be GP deployed and things and set off configured remotely but do not just start pushing now please always test put it on the control box play around with it a bit and then you know get your con file up and running and then SSL pinning don't really defend on it right now they're working on it to become a little more robust where users can be a little bit more

controlin on thanks all right so thisal issues I'm going to try to blow through this quickly a little bit um basically in the past emt's had a bunch of problems okay we set em up yeah it is what it is it doesn't protect itself back in M4 so M 4 we kind of have this this rise of issues blue hat challenge was issued Microsoft had their own conference said hey so we're going to throw out there we're going to have a challenge and whoever thinks that they can actually you know exploit memory that's being protected by em or an application we want to know why and we're going to get out of prize I mean yay so that's cool right um there

were some really creative ideas that came out of that uh so basically in a nutshell works by wrapping hooking the application Ry so imit dll actually go and inject itself as a deal injection just that kind of have a lot of attack work today so it injects itself almost like M and running processing memory and it does some things with that memory in the process involved in so at 4.1 people decided that they were going to do some really cool stuff to kind of own it but um anyways wow 64 is one of the big issues that we have today when running it at a hyperviz layer for 64-bit compliancy running 32bit applications at a 64-bit layer of right now will cause a

lot of issues because M doesn't have the 64bit protections yet enabled for while 64 fully developed so just note that that's that's important cuz a lot of browsers today I think the last year there was a survey say about 80% of browsers were actually running 32 bit on a 64 bit H provis layer and EM it was like Hey I'm protecting this but none of my controls work because they're all CED that and you're have resing a64 so be careful with that next all right so blasting through this a little bit more um several folks um and groups of men have found ways to defeat it uh blue hat we're going to talk really quick about Buran Labs Jared

deont and also next all right so in a nutshell I'll C out this pretty simple J was really really smart person because he said hey I'm going to take and I'm going to tap every single critical control that emit can provide you S protection so every single one of its mitigation techniques Jared and they were like well let's see how we can defeat these things uh they came up with some pretty good ideas about using stuff that's already there how we can get around bypassing some things uh we can avoid color checks we can get around eaf by blowing in import tables instead of export if you're aren real big on memory um how that works uh

in a nutshell we're going to use what's already out there running in you know the average Windows environment and memory and start playing around with some of that stuff and see what we can get around and bypass next all right so D figured out that uh he can get some return oriented programming code actually running and working and uh basically D was like Hey you know I could take the stuff that's out there I can actually write my own custom shell codes one thing about emit is emit will Pawn most m throughout the gate because the reason is a lot of them actually depend on using return to jump functions as well as calling into um uh

they call gadgets from other processes that are listed as critically protected on the export table so by default emit can can stop those autonomously uh but J figured out if he custom hand writes some things basically pulls stuff that's out there he can get by it next um and that's that's basically explaining the same thing uh jir just assume that attacker has control right of her trigger you're you're going to be using n for8 n j was not actually and he basically said okay I know it's a legitimate instance it has running in it and I know that has a memory protection so I don't have to do that research hackers don't either right so as

defensive people we need to be understanding a little bit about what the vulnerabilities you know are out there right now actively for the software we're deploying so Jared did exactly that and knowing that as an offensive guy he could basically pick it apart because there's a lot of information on it uh and then environmental controls uh he he wrote his own little tools basically next all right so callar checks we talked about this a little bit just making sure that it's not you know it's using legitimate calls it's not using returns and jumps from all over the Memories Back coming from all over the place because obviously organized proper code normally doesn't do these things

which Metasploit tends to you know obviously jump all over next and then we talked about load Library just make sure that it's not loading in a dll from somewhere that's already sitting on the heave and saying hey I'm here but I'm not really normally used in this process it's Jared was able to find a way to pull in something that you normally do use to make make it look like it's legitimate kind of walk right through the gate next and then obviously this is this little cool thing that you been boned uh he put that in there basically because he came in second place for the blue hat challenge uh to another gentleman uh Microsoft didn't actually put Jared's

Research into their improvements they put the other guys and Jared came back in an next version and ped it all right so talk about me Sim exact stack pivot and eaf um memory protect basically talked about that making sure that certain legitimate calls aren't coming from Mark stat pages um oh that's only read only I'm going to make this re write interpreter likes to do that migrates processes and things like that um it's looking for that kind of stuff basically and then Sim exact flow is where it's actually flowing in from it runs a few instructions ahead and says let me go try this out theoretically Bam Bam Bam if I call this push that do that

memory okay that's safe it looks like I'm okay am I actually going to do a return and jump and just start writing into like a KN slit on the stack and then eaf is obviously the export table these are legitimate it's okay export and pull these things out and use them all right so in summary basically like I said jar was able to bypass all the controls using legitimate tools that were Microsoft Microsoft returned basically saying something very important init is not designed to be BL end all you know process protection solution for you and memory there what it's designed to do is it's designed to make hackers have to work harder to develop more crafty custom complex ways

of bypassing these controls and sneaking through the gate and in a nutshell it was a deterrent which is a really good tool so moving forward think of im as a deterrent strategy next all right so then they said try harder this is Offset you don't know offet off SEC was like hey why don't we try harder we're just going to go ahead and completely on emit next so basically off SEC did this really cool thing where off SEC was like hey you know what emt's running it's injecting itself just like a Mator we make those cool things in our our distribution and we maintain that with the med school project so how does that work well let's at legitimate processes

so nutshell M32 or excuse me at time M and checks itself WS itself around this process somewhere in memory in its tracking that it's turned on off SEC was able to find this offset value because it was statically set by Microsoft go in there write the zero out blink it out and a nutshell the global flag is now set that em disabled on this process so they didn't protect em itself Em's protections were protecting that process but IM de at the time wasn't protecting itself from the as well so that's five and then also came long more it all right so anyways we K we killed the um as I talked about mobile flag was

written it was read writable instead of just reading only so if you wrap yourself and protect it set it to one someone that in it is ened in this process however they left that a place of memory which is also riable so said okay if find all set zero and go by next all right um um and then they did a lot more cool stuff and and then nutshell basically Microsoft said hey we're going to go ahead and make that um protected because we're going to encode for the off Static we're going to move it around and we're going to put a pointer to it that is encoded well off said okay why don't you just call decode

pointer we can find the pointer we can decode it you see decode pointer which is already included in Windows naturally and now we know where to go wipe that Global flag and now all again than all right and they they tried to hide it harder using you know another encoding te you see the goal is like here's hide and seek Microsoft is like hey we keep moving things around oh you can't find our encoder we'll find an pointer okay we'll encode that again with a CPU ID Al said okay fine why don't we just go ahead and find what init uses to find this and natural processing in it and use imit on itself to deciple itself itself because the

cool thing that you know like ass admins work at like we talked about earlier people just like to do this cool thing in emit called turn off emit so what you do in the go what you do the command line all the time abusively I'll say that in memory next all right so basically moving forward here uh emit 52 didn't really do too much to you know help that or whatever we put a little more protections in place we tried to hide these pointers a little bit more um it worked for a while but not forever mf55 came rather quickly after that anyways next all right so Microsoft didn't really change anything moving forward they were like hey you know this is top

you have to be conscious of this because it's not meant to stop stuff and people kept thinking that what it's was for um but in a nutshell they try to hide this pointer again and another researcher came forward and said okay I'm going to find out how you hide it I'm going to reverse that and then I'm natur going to use in itself to disable itself through its natural function all right so now Michael's going to go ahead and give the mem demo basically he's going to show you a walk through I talked about logically what was going on Michael's going to give you the actual hands on here okay so basically where's the overview so I'm

going to go through I'm going to show show you what the uii looks like I'm going to show you what the command line looks like I'm going to show you I'm going to use interpreter or metpo to do a PS exec to the box I'm going to migrate to a process that's not protected by EMT and I'm going to protect that process and I'm going to migrate to it again and show you how EMT actually captures that um and then we'll talk about some of the local go how to add local gpos to it and then show you from a command line how you can view uh some of the protections because from the gooy you can't see Group Policy

protections you only can see Group Policy protections from line and we'll go over that so [Music] switch can see that yeah can everybody see that fine it's not cut off or anything is it no all right so this is uh this is the main guey when you download and install emit this is what comes up and there's some default applications that are protected so like uh office suite uh Internet Explorer of course basically your Microsoft soft core products and then they have some profile U files that are called that are it's called your recommended software and then popular software so they added some more things in there for you that'll be protected um the best way to

update those things are to add all the applications that you want to add to the software just come up here and click on add apps it'll bring up U this screen add application you go through your directory find whatever applications you want so you can go to C drive go down to program files and let's say you want to protect um you know Google Chrome goog here Chrome application and you click on Chrome it'll plug it in and by default it selects everything except for a few things that may cause um you know may cause an application to crash uh if you look at it I don't know if you can see it up there but the ones

in bold those are the ones that are protected by default anything that's not in bold it's things that you added to the software if that makes sense all right um on the John went over all these protections so you can uncheck any one of these if you wanted to dep is one of the ones that you can uncheck that's enforced by Windows 7 by default it's systemwide you can't you can't change that uh but you can just go through and just uncheck different ones if you don't want to protect those so what this means if you if you add an application or you have an application that's crashing and you believe it's emit because it didn't

start crashing until you install emit go through and uncheck each protection one by one until you find the one that's causing an issue and then reenable the other ones um that way you're not disabling everything okay um if you want to change your uh the default profiles it's right under here just click on uh Custom Security maximum or recommended and these files are in the emit directory so if you navigate to the emit directory program files EMT if you go to deployment you've got your group policy and you've got your protection files so these are your your default files that come with EMT all right what you need to do with your group policy files you copy these files

in your windows uh profile definitions and then your under the profile definitions you have your English us and I I'll show you that in a second so that's your basic uh uh uh UI down at the bottom you have uh these green check marks that lets you know what uh what processes are protected by EMT so if you see the green check that means EMT is protecting that process if there's no check there that means emt's not protecting it all right it's basically emt's version of your your task Lisk uh so what we talked about earlier was anything that's being applied by Group Policy you cannot see from this guey so when you look uh when you go to

your apps right this is this is basically what's protected by imit right now you will not find anything protected by group policy in this list so if you're a assist admin or you're responsible for configuring admin in an Enterprise environment and you're wondering why all the applications that you spend two three hours configuring aren't showing up on your client systems that's why you have to actually go to the command line and view it from there and and from the command line we just jump there you type emitor comp you have to go from the directory or if you configure environment so you can run it from anywhere and d-list you press enter and it'll give you your entire list

along with your go uh configured programs uh so I went ahead and already configured these ahead of time and that's why you see those two there by default obviously there would be nothing there if you're on a local computer and you want to modify your local GP obviously GP edit uh MSC you'll pull up your uh your editor and you come into application configuration you can see it's already enabled because I added those two come down to so obviously it'll be not configured when you initially start it up go to enabled click on show and then you can just in the value name section you put the path so you can put uh you know C colon

programs whatever you want to put or you can use use a regular expression you can say star backs slash whatever um it's easier just to use um star backslash than the name of the process because you might have a typo in in the path that you type in or that that application might be installed somewhere that's you know non-standard uh the other thing is that that's kind of a downfall to EMT is it works off the path that you give it a binary name so if you protect notepad or you protect chrome and somebody changes the name of Chrome it's not going to be protected uh they for some reason they don't use hashes of uh of the binaries

that are in Windows or applications that are well known um which I think is something they probably should do for at least for the core Windows um like system 32 uh binaries right those should be at least checked by hash and not just by the path name or the name of the binary so anything over on value is what protections you want to enable or disable so you can do Dash basically you can read everything on the left hand side so down here it gives you exactly what you need to configure that all right so we'll move on from there uh if you want to verify that a process is being protected I use process

hacker some of you probably use S internals process Explorer you can do the same thing I just prefer a process uh hacker uh cool thing about process hacker is if you have uh if somebody creates a service on your box or does nasty things process hacker will give you an alert that a service got created service got deleted uh so that's kind of why I like using it and there's some other things that it does that uh process Explorer doesn't do um so we'll check and see what processes we have protected right we said we can come to the main screen and look at here or we can do from the console and so we

see we have uh command command. exe is protected right um we also saw that command line uh where is that in there it's not in there so let let's let's add one it's in third one top okay yeah so it's protected right so it's got all the default protections so let's see where that dll is let's find command. EXE here it is uh you go to properties and process uh process hacker uh probably won't show it in modules let's do notepad that'd be a whole lot easier I think notepad is not notepad Plus+ all right so notepad Plus+ where is it [Music] at and I don't see it oh not running up there it is yeah

that would be would be a reason all right so if you do have the process running uh click on properties go to modules and you can see it right there emit dll all right so any process that you add to EMT and you want to verify that it's actually uh protecting that process you can come in here and check it out that way there's also another tool in syst internals called list DLS Or List module I think thing it's called that'll show you all the DLS that are there if you happen to run it and you don't see that dll in there it's probably because that process is already running you're going to have to restart

the process um that way you can can add that protection so if you add the add the binary to EMT while it's still running it won't protect it you have to restart that process okay all right so that's how you can verify this running if it's a 64-bit process same thing you'll see emit 64.dll right only in EMT 5o current version of EMT all right so now I'm going to show you um a process that's not protected I'm going to go to my other screen and so I'm going to use uh I'm already connected and see might have to recreate the session so I'm just using PSX nothing fancy uh it's a standard tool I'm just

using metas to do it and if you PS EXA to a box em it will not detect that right it doesn't detect SQL injection it doesn't detect you clicking on a binary that gives somebody a reverse shell it detects things that are happening in memory to a process all right all right so problem let's see we're already there so let's find a process that's not being protected um let's see or we can even create

one

[Music] see so H skill pain skill pain

yeah all right so we'll run Ms paint again and we'll double check that it's uh not being protected by EMT and by the way if I want to do that from the command line I would just do emit I'll do delete and then the path to Ms paint right or or I'll do just you know Wild Card back slash just Ms paint star Ms paint same thing you can delete everything delete all uh another thing to note if you do if you delete an app from from uh you can't delete an app from the command line that's a group policy enabled application so Discord and notepad++ was added via Group Policy you can't from the command line disable

that you have to use Group Policy to remove that so that might be a consideration for using Group Policy versus just using the goey uh so anyway I already removed that we've got paint running we're going to check the uh use process hacker to see if it's actually disabled so we got Ms paint here properties go to our modules it's alphabetical so we got ms64 in there so it's still still protecting that I click the right thing this paint y it's Miss paint make sure actually did turn it off oh had to do okay refresh let's close

[Music] it laun that all right so let's see the P for that M Miss paint so we've got 6012 is the pit Will

migrate and so if if it's any binary that's protected or process is protected by him it'll pop up a little notification saying uh eaf protection detected or whatever protection that stopped it mitigated and it will basically terminate the process so we can see we migrated successfully to that process 6012 nothing happened right we can still still move around we can still do stuff um I can drop to a shell if I need to you know em it's not uh triggering anything right now this user has no clue that somebody is on that box all right so now we're going to protect uh I'm going to turn the protection on while paint is still running and show you that

it doesn't uh it still doesn't protect it or detect that some somebody's in that that process so we'll do it from the command line just to show you that you can do it from the command line for those of you that like the command line so the command is set not add and then you can just do you know star back slms paint all right do I have MS pain already in there yeah there already Ms paints already in there [Music]

all right let's do notepad I don't think notepads in there regular

notepad all right so when you add an application to EMT it'll give you this little statement right here saying that you you may need to restart it which is what I talked about earlier if you don't restart it uh it's not protected right so we had notepad running we'll close

it run it again oh I didn't want that to run I've got mine setup so when I run notepad it run notepad++ all right so we've got that running now when we come back over here we'll see what pit that is for uh notepad and we've got

5716 oh let's get out of the Shell First that might

help all right so while it's migraine you see emit just detected eaf uh detected emit detected eaf iation and will close the application notepad at exe so that's what happens when you migrate uh when you use interpreter to migrate to another process that's protected by emit um you'll get that that notification it'll terminate the process uh the person's interpreter shell will crash so it's still trying to migrate but eventually it'll crash my session will die and life goes on all right on this end several things happen if you go to your event logger all right you'll see uh EMT will L it so if you're doing remote login this will get captured if they wipe the logs um

and anything that emit Triggers on will say emit in it so you can filter your logs for everything that says emit um and it'll tell you exactly which process triggered so if you look down here you've got system 32 Ms paint um before that uh it'll tell you that it was enabled so this is when I added it it'll give you all your default protections everything that's enabled so it's pretty detailed uh information for you know anything that you need to do for protections uh any questions so far all right um so like I said you have your group policy your local Group Policy these are all your configurations you only get these settings once you

copy those files I showed you uh into and I'll show you the directory so you take these files that's in your deployment folder so you go to deployment Group Policy you copy each one of these and then you go down to your windows directory right windows and then you need to go to profile definitions so the admx file goes in here and then the other file goes into this directory and then when you open up your local Group Policy editor it'll these these configuration settings will be available it'll be under Windows components emit or you can do a search and look for everything that's emit all right uh that's pretty much it so that goes into our recommendations

yeah mov a little bit fast but in Ence Michael went in there did kind of what a common thing MERS do okay they tried to T it with automated expit tool such as met spy using something like alinux so as you noticed before before Michael enabled it you couldn't see anything right everything's moving around things are migrating just like that though using init configured correctly pushed out fully managed right we were able to see that the next address U table uh you know mitigation was kicked in there was a vit log that was thrown and and obviously terminated that process to protect it okay I got one more thing dad so this is the XML file for the

recommended software that EMT comes with by default so you have your office suite that's pretty much what it looks like and then if you want to create your own custom uh file so let's say you have an Enterprise and you don't want to use group policy for some reason um and you just want to create a custom profile this is what it looks like you wouldn't do the by hand so you're not going to just hack away at notepad you go to the application you add every application you want on a test box and then you export that so if you go to EMT you just do there's a feature to export the current configuration and then you take

that file and maybe you set up a share and have every every other box pull from that share or however you want to distribute that XML file so that's also another option you can do group policy you can manually configure every single application you can create a profile box and then export that and utilize that question

so um it's not any more protected than anything else in the program file directories okay so for instance I wanted to attack I just attack configuration file itself and corrupt configuration F would that corrup um so it reads the configuration file once it runs and it doesn't keep rereading that file unless you you know restart

yeah so that's kind um for saying methodology wise yeah I'm sure that would have an impact but that is a static file it's flat it's not protected processes yeah but if you're pushing it out to group policy then you'd have to just like anything else well mem it runs in in as as the user that's on that system it doesn't run as system or uh any other user runs as that's that's the problem with a lot of these applications if they run in the same user space malware runs in the same user space they're both both competing um and obviously running M as in kernel space is not a good idea right so that's that's the problems we have right now um

which is going to lead in some of the recommendations that we have uh later well question yeah know what reason why uh most my experience most Micosoft

I didn't hear the question I'm sorry speak up please my experience I've had mostly Microsoft Office products are the ones being blocked by uh do you know why that is it's usually like e e plus category I'm having to go on down just blow them all blow blow them away you which version are you running yeah so they they they do admit that there's problems and conflicts and that's why some things are off by default but if the current version should fix a lot of those problems I don't are you running the current version I mean yeah like which version are you running yeah because they just updated a patch that is 5.51 now how long was that

uh I don't remember the exact date but I know there was a five there's like a recent one of 5 51 okay so try that one see if you have any problems or just disable eaf so it's it's not a it's not an end all Beall there's there's just different layers that the attacker has to go through and having m is is is just it's going to be way better than not having anything else and like I said if EF is giving you that problem just disable disable one of those colums simp that's the Microsoft recommended way of of if you have an application that's that's a conflict with EMT one by one disable them and see which one

causes the problem then just keep that one off and keep everything else

on questions yeah so just real quick basically we were going to talk about throwing up some bullet or research um looking at ways to basically help out and Michael already said earlier doing hash based instead of path based all right control schams so we don't want you know to automatically protect init based on just the relative path or natur path to right maybe we should look at doing a little more advanced things ping it and then extensive list of common exploited applications would be really cool msrc has some community group trying to do this as well kind of like crowdsourcing than and then uh control flow excuse me control flow technology Shadow stack it's really cool get flicking into this

other night to say was awesome you're local check it out they had a that came through and talked about the new intell extensions and how they're going to use things working at the hardware they protect you know the memory obviously and then device card credential based you know based protections on M anybody heard of Shadow stack all right so n good yeah uh so um we're going to wrap it up U any questions after this Michael and I will be available as well and you can catch us and we'll talk more about it so hopefully we did accomplish the objective today which is basically to help understand that and it's not perfect it's not an end all Beall at

this time it definitely has a lot of work that's it's going under right now as we said said there's a bug someone contributed to that so um look into it learn it and uh the better you use it uh properly the more effective it'll be for playing this hide-and-seek game we're continue to go through it looks like uh we'll go into questions real quick I got some giveaways um on behalf of our guests and our great sponsors um real quick southards donated some lock picks to the event um what is the current running version of EMT oh wow okay quick hands you guys are fast um No 5 5.1 okay awesome and then uh okay

who was Rian last researcher that imped came in okay that was really quick name what's his name yes Jason no next last name Okay

I uh let's see what's the name of the command line tool to configure init you already answered one uh come on be good uh let's see uh what's the name of the protection that Emitt mitigated when I migrated from uh one process to the other yeah yeah yeah you got okay good job uh so the last two prizes real quick for the sponsors as well for donating thankfully it's we had an outlet land USB adapter as well as a a land turtle so good job everyone time um bill yeah um thanks guys