Enhanced Mitigation (EMET) action

This document lists the mitigation options and their purpose in the settings screen when you create a New Enhanced Mitigation Action.

To get to the enhanced mitigation settings, do the following steps:

  1. In the Thycotic Security Manager, click the Policies tab.
  2. In the file library in the left pane, navigate to Thycotic solutions > Actions.
  3. Right-click the Actions folder and click New > Enhanced Mitigation (EMET) Action.
     
  4. In the Create Item dialog box, fill in the Name and Description fields.
  5. Click OK.



  6. In the right pane under Mitigation Options, select the check boxes for the settings you want to activate and click to clear the check boxes you want to deactivate.
  7. Click the question mark to the right of each setting for a brief description.

See the following descriptions for more details about the enhanced mitigation settings.

Data Execute Prevention (DEP) 

DEP prevents attackers from using application code outside the areas of memory that are not explicitly marked as executable. DEP is a critical part of the broader set of exploit mitigation technologies developed by Microsoft such as ASLR, SeHOP, SafeSEH, and /GS. These mitigation technologies complement one another; for example, DEP’s weaknesses tend to be offset by ASLR and vice versa. DEP and ASLR used together are very difficult to bypass.

Structured Exception Handler Overwrite Protection (SEHOP)

The SEHOP mitigation technique prevents attackers from making use of the Structured Exception Handler (SEH) overwrite exploitation technique. When the majority of stack-based buffer overflows occur, an attacker will implicitly overwrite the next pointer of an exception registration record prior to overwriting the record’s exception handler function pointer. Because the next pointer is corrupted, the integrity of the exception handler chain is broken. This insight, in combination with ASLR, is what allows SEHOP to effectively mitigate SEH overwrites. (For more information about SEHOP, go to the Microsoft TechNet Blogs at http://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx.)

Null Page Protection (NullPage) 

NullPage pre-allocates the null page to prevent exploits from using it for malicious purpose. Please note this is a pseudo mitigation designed to break current exploit techniques; It is not designed to break future exploits. 

Heap Spray Protection (HeapSpray) 

HeapSpray pre-allocates areas of memory that are commonly used by attackers to allocate malicious code. Exploits that rely on controlling these areas of memory (and then jumping into them) will fail. Please note this is a pseudo mitigation designed to break current exploit techniques; It is not designed to break future exploits.

Export Address Table Filtering (EAF) 

EAF regulates access to the Export Address Table (EAT), allowing or disallowing read/write access based on the calling code originating from a shellcode. With EMET in place, most of today’s shellcode will be blocked when it tries to lookup the APIs needed for its payload. In addition, EMET tries to prevent attempts by shellcode and ROP gadget to clearing the hardware breakpoints used for this mitigation. 

Export Address Table Filtering Plus (EAF+) 

EAF+ mitigation blocks read attempts to export and import table addresses originating from modules commonly used to probe memory during the exploitation of memory corruption vulnerabilities. EAF+ is an extension of EAF that can be used independently or in combination with EAF itself.

Mandatory Address Space Layout Randomization (MandatoryASLR) 

MandatoryASLR randomizes the location where modules are loaded in memory, limiting the ability of attackers to point to predetermined memory addresses. Modules are forced to load at randomized addresses for a target process regardless of the flags it was compiled with so that exploits using ROP and relying on predictable mappings will fail. 

 

Bottom-Up Address Space Layout Randomization (BottomUpASLR) 

BottomUpASLR improves the Mandatory ASLR mitigation by randomizing the base address of bottom-up allocations (including heaps, stacks, and other memory allocations).

Return Oriented Programming (ROP) Mitigations

When mitigation like DEP is in place, attackers use the ROP exploitation technique which helps execute snippets of code already present in the memory of an attacked application. The mitigations included in the Enhanced Mitigation settings have several experimental ROP mitigations meant to block ROP exploitation.

Load Library Protection (LoadLib) 

LoadLib is a ROP mitigation technique that stops the loading of modules located in UNC paths, which is a common technique in Return Oriented Programming (ROP) attacks. 

ROP Caller Check (Caller)

Caller checks are ROP mitigation techniques that stop the execution of critical functions if they are reached via a RET instruction instead of a CALL instruction, which is a common technique in ROP attacks. 

ROP Simulate Exec Flow (SimExecFlow)

SimExecFlow is a ROP mitigation technique that reproduces the execution flow after the return address, trying to detect Return Oriented Programming (ROP) attacks.

Stack Pivot (StackPivot) 

StackPivot is a ROP mitigation technique that checks if the stack pointer is changed to point to attacker-controlled memory areas, which is a common technique in ROP attacks. StackPivot also validates the stack register present in the context structure of certain APIs. 

Attack Surface Reduction (ASR)

ASR prevents defined modules from being loaded in the address space of a protected process. For example, you can prevent Microsoft Word from loading the Adobe Flash plugin.

http://www.microsoft.com/emet

Â