Threat Mitigation with EMET 4.0
Published: June 24, 2013
Author: Gerardo Di Giacomo, Security Program Manager, MSRC Software Security Incident Response
In June, we released version 4.0 of the Microsoft Enhanced Mitigation Experience Toolkit (EMET), which you can download from
Let’s dig into the details for each feature so you can see how to best utilize EMET 4.0 as part of your overall security toolbox.
The Certificate Trust feature allows you to configure a set of SSL certificate pinning rules to validate digitally signed certificates (SSL/TLS certificates) while browsing. This feature has been introduced to detect man-in-the-middle attacks that leverage fraudulent SSL/TLS certificates. It allows you to configure a set of rules able to match specific domains (through their SSL/TLS certificates) with the corresponding known Root Certificate Authority (RootCA) that issued the certificate. When EMET detects the variation of the issuing RootCA for a specific SSL certificate configured for a domain, it will report this anomaly as an indicator of a potential man-in-the-middle attack. EMET 4.0 also comes with a pre-defined set of rules that aim to detect Man in the Middle attacks in Microsoft and other popular online services, such as Twitter, Facebook, and Yahoo!.
With EMET 4.0 we introduced some new mitigations that try to mitigate the Return Oriented Programming (ROP) exploitation technique. ROP is a technique that allows an attacker to execute code when other mitigations, such as Data Execution Prevention, are in place. This exploitation technique is widely used today in exploit, therefore we introduced these new mitigations so you can apply them to your applications and make them more resistant against this type of attack.
Early Warning Program
When an exploitation attempt is detected and blocked by EMET, a set of information related to the attack is prepared with the Microsoft Error Reporting (MER) functionality. If you are collecting error reports via tools like the Microsoft Desktop Optimization Pack (MDOP) or the Client Monitoring feature of System Center Operations Manager, these error reports are sent to the dedicated system on your network. You can use this information to have an early warning mechanism of attacks detected on your network, and to investigate the details of those attacks. For organizations that typically send all error reports to Microsoft, this information will add to the set of indicators we use to hunt attacks in the wild, and will facilitate the remediation of issues with security updates before vulnerabilities become a large scale threat.
When previous versions of EMET detected exploitation attempts, it would report the attack via the EMET agent and then terminate the program to block the attack. For EMET 4.0, in response to customer feedback, you can configure EMET’s behavior when it detects and stops an exploitation attempt. The default option remains to terminate the application. However, if you want to test EMET in a production environment, you can instead switch to “Audit Mode” to report the exploitation attempt but not terminate the process. This feature is helpful when you want to monitor potential compatibility issues with EMET and the applications that you are protecting.
Redesigned User Interface
With EMET 4.0, we also improved the EMET user interface. Although the changes are not substantial from the previous versions, the new user interface reduces the amount of effort and clicks to configure the different EMET options. The UI also provides accessibility features, in order to allow equal access and equal opportunity to people with diverse abilities.
About the Author
Gerardo Di Giacomo is a Security Program Manager with the Microsoft Security Response Center (MSRC) Software Security Incident Response team. Gerardo is also responsible for the release of the Enhanced Mitigation Experience Toolkit (EMET). Prior to joining Microsoft, Gerardo worked as a security consultant and trainer for Fortune 500 companies and government organizations in Italy, EMEA and Asia.