Using EMET to Disable EMET

by Abdulellah Alsaheel, Raghav Pande Sept. 17, 2017 via www.blackhat.com submitted by belen_caty

EMET was designed to raise the cost of exploit development and not as a "fool proof exploit mitigation solution". Consequently, it is no surprise that attackers who have read/write capabilities within the process space of a protected program can bypass EMET by systematically defeating its mitigations. As long as their address space remains same, a complete defensive solution cannot be used to prevent exploitation. The talk will focus on how easy is it to defeat EMET or any other Agent. How secure is any endpoint exploit prevention/detection solution, which relies on same address space validations and how to defeat them with their own checks or by circumventing and evading their validation. Moreover it will also reflect on, targeted EMET evasion i.e. when the attacker knows EMET is installed on victim machine. These methods applied on EMET can be applied on other enterprise products and were tested on many during our research.

https://www.blackhat.com/us-16/briefings.html#using-emet-to-disable-emet

Avatar
Steven Ulm 1 month ago

Well researched and interesting! I like the title as well :) Thank you for sharing this with us!

Reply