Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: VBA Shellcode and Windows 10 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
VBA Shellcode and Windows 10

I tested the process replacement maldoc (Hancitor Maldoc Bypasses Application Whitelisting) on Windows 10 and Word 2016. It's not blocked.

However, it's not stable. The shellcode is executed and the embedded malware is launched (9 times out of 10 successfully), but then the Word process crashes.
 
To be 100% sure, I made my own PoC Word document that injects shellcode and then starts calculator. This PoC is always successful on Windows 10 without EMET, and doesn't crash the Word process. As expected, when EMET is installed on Windows 10, execution of the shellcode is blocked and calc.exe can't be launched. 
 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
NVISO

DidierStevens

170 Posts
ISC Handler
Thanks for proving what I / we feared to be true, Didier!

I have updated my question for Microsoft at

social.technet.microsoft.com/Forums/security/en-US/ada2d63e-fca5-4714-8934-2f72af8068bb/feature-mapping-emet-vs-windows-10?forum=emet

I hope Microsoft can reverse their decision to retire EMET! I don't mind that they are moving protection into the Windows 10 OS, that makes the OS more robust and helps protect the few (!) that have not found EMET to be useful.. EMET could co-exist, and could help visualize the capabilities of both EMET and the operating system combined. The EMET UI has a very useful at-a-glance view of which protections are switched on or off for each application.

I have already mentioned the fact that EMET also provides logging that can be used for event monitoring. And even more important is the fact that EMET protects applications, even legacy applications, that have not been compiled with enhanced protection methods enabled. I believe that business environments will have such applications around for the foreseeable future. Why turn off something that works and provides value (security!)?

Thanks and regards, Tor
dotBATman

59 Posts Posts
In the daily stormcast, which I am sure is a part of everyone's daily routine, the topic of Windows 10 without EMET was raised.

@johullrich pointed us to an excellent visualization of the protections with/without EMET:
https://insights.sei.cmu.edu/cert/2016/11/windows-10-cannot-protect-insecure-applications-like-emet-can.html

Thanks!
dotBATman

59 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!