[rkhunter]

v.4.1 Update 1 (Release) [tool + MS PDF doc]
http://www.microsoft.com/en-us/download ... x?id=41138

v.5.0 Technical Preview [tool + MS PDF doc]
http://www.microsoft.com/en-us/download ... x?id=41963

Inside EMET 4.0 by MSRC (Elias Bachaalany)
http://recon.cx/2013/slides/Recon2013-E ... ET%204.pdf

EMET 4.1 Uncovered by Dabbadoo
http://0xdabbad00.com/wp-content/upload ... overed.pdf

Bypassing EMET v.4.1 by Bromium Labs
http://bromiumlabs.files.wordpress.com/ ... et-4-1.pdf

Announcing EMET 5.0 Technical Preview by MSRC
http://blogs.technet.com/b/srd/archive/ ... eview.aspx

EMET 4.0's Certificate Trust Feature by MSRC
http://blogs.technet.com/b/srd/archive/ ... ature.aspx

EMET, preventing the exploitation and unobvious settings [RU] by ESET Russia
http://habrahabr.ru/company/eset/blog/221129/

Exploits in targeted attacks vs. EMET in 2013 by Andreas Lindh
https://twitter.com/addelindh/status/464761124173668352

EMET vs. CVE-2014-1776 by MSRC
http://blogs.technet.com/b/srd/archive/ ... -0day.aspx

[rkhunter]

EMET v5 released

http://blogs.technet.com/b/msrc/archive ... t-5-0.aspx

[rkhunter]

EMET 5.2 is available

http://blogs.technet.com/b/srd/archive/ ... lable.aspx

[rkhunter]

Defeating EMET 5.2

http://casual-scrutiny.blogspot.ru/2015 ... chive.html

[spqr]

If the OS is CFG-aware, the disarming technique described above is equally applicable or you need a further step?

[Juggl3r]

Hello,
you can find my research to the topic at:
https://www.youtube.com/watch?v=_OM88DTs56k
Slides:
https://prezi.com/sz34ptcpz0vn/

When EMET 5.2 was released I had a very quick look at it. Basically all my exploits worked without any modifications.
The only think which should change stuff is CFG. Only EMET.dll (which gets injected into all protected applications) is now compiled with CFG support.
That means that indirect calls are now checked. E.g. if we have "call eax" eax will be verified to point a whitelisted location.
However, I didn't had an in-depth look at the stuff because everything worked without a modification.
In my slides I mention that I'm using a "call eax" gadget to bypass caller/simexec flow from EMET.dll. This ensures maximum reliability but the address must be specified for all EMET versions.
You can also use a "call eax" from the application itself instead (e.g. mozjs.dll in my case of firefox). Since I'm using the "call eax" from firefox and not from the protected EMET.dll file CFG will change nothing.
That's why my exploit still works (I only had to modify the code which finds the start of EMET.dll which was 1 LoC).

So from my point of view there is no additional security, you just have to use the "call r32" from the app instead.

[rkhunter]

Enhanced Mitigation Experience Toolkit (EMET) version 5.5 is now available (2 feb, 2016)

[+] Windows 10 compatibility
[+] Improved configuration of various mitigations via GPO
[+] Improved writing of the mitigations to the registry, making it easier to leverage existing tools to manage EMET mitigations via GPO
[+] EAF/EAF+ pseudo-mitigation performance improvements
[+] Support for untrusted fonts mitigation in Windows 10

https://blogs.technet.microsoft.com/srd ... available/
Download: https://www.microsoft.com/en-us/downloa ... x?id=50766

[rkhunter]

Using EMET to disable EMET

https://www.fireeye.com/blog/threat-res ... isabl.html

[rkhunter]

Diving into EMET

https://www.insinuator.net/2016/09/diving-into-emet/

[rootw0rm]

https://breakingmalware.com/injection-t ... processes/