Home

Awesome

MitigationFlagsCliTool

Prints mitigation policy information for processes in a dump file.

Usage

-d [dump file] - specify dump file
-l - query current machine (must run elevated)
-k [target machine information] - live kernel debugging (Example: -k net:port:50000,key:1.1.1.1,target:1.2.3.4)
-e - Only print enabled mitigations for process
-m [mitigation,mitigation,...] - Only print processes where any of the requested mitigations are enabled
-ma [mitigation,mitigation,...] - Only print processes where all of the requested mitigations are enabled

Usage example:

MitigationFlagsCliTool.exe -d c:\temp\live3.dmp -ma DisallowWin32kSystemCalls -e

Will show all processes that have the DisallowWin32kSystemCalls mitigation enabled:

Current process name: MsMpEngCP.exe, pid: 2352
        Mitigation Flags:
                ControlFlowGuardEnabled
                DisallowStrippedImages
                ForceRelocateImages
                HighEntropyASLREnabled
                ExtensionPointDisable
                DisallowWin32kSystemCalls
                AuditDisallowWin32kSystemCalls
                DisableNonSystemFonts
                PreferSystem32Images
                ProhibitRemoteImageMap
                ProhibitLowILImageMap
                SignatureMitigationOptIn
Current process name: vmwp.exe, pid: 4388
        Mitigation Flags:
                ControlFlowGuardEnabled
                ControlFlowGuardExportSuppressionEnabled
                ControlFlowGuardStrict
                DisallowStrippedImages
                ForceRelocateImages
                HighEntropyASLREnabled
                ExtensionPointDisable
                DisableDynamicCode
                AuditDisableDynamicCode
                DisallowWin32kSystemCalls
                AuditDisallowWin32kSystemCalls
                DisableNonSystemFonts
                PreferSystem32Images
                ProhibitRemoteImageMap
                ProhibitLowILImageMap
                SignatureMitigationOptIn
Current process name: vmmem, pid: 1948
        Mitigation Flags:
                HighEntropyASLREnabled
                DisallowWin32kSystemCalls
                AuditDisallowWin32kSystemCalls
                PreferSystem32Images
                ProhibitRemoteImageMap
                ProhibitLowILImageMap

Mitigations documentation

Most of the mitigations shown here are documented in some form. Information about a lot of them can be found here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference
And information about how to enable and disable them is here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection
A lot of those mitigations are also explained in detail in the Windows Internals book.

Some sources give us more information about a specific mitigation class and the reasons it was implemeted:

Control Flow Guard (CFG)

Mitigation FLags:

Sources:
https://documents.trendmicro.com/assets/wp/exploring-control-flow-guard-in-windows10.pdf
https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard
https://docs.microsoft.com/en-us/windows/win32/secbp/pe-metadata#export-suppression

ASLR

Mitigation FLags:

Sources:
https://insights.sei.cmu.edu/cert/2018/08/when-aslr-is-not-really-aslr---the-case-of-incorrect-assumptions-and-bad-defaults.html
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference
https://msrc-blog.microsoft.com/2013/12/11/software-defense-mitigating-common-exploitation-techniques/

Extension Points

Mitigation Flags:

Sources:
https://resources.infosecinstitute.com/common-malware-persistence-mechanisms/#gref

Dynamic Code Guard / Arbitrary Code Guard

Mitigation Flags:

Sources:
https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/
https://www.crowdstrike.com/blog/state-of-exploit-development-part-2/

Win32k System Call Disable / Filter

Mitigation Flags:

Sources:
https://googleprojectzero.blogspot.com/2016/11/breaking-chain.html

Non System Fonts

Mitigation Flags:

Sources:
https://docs.microsoft.com/en-us/windows/security/threat-protection/block-untrusted-fonts-in-enterprise

Image Load Blocking

Mitigation Flags:

Sources:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference#block-low-integrity-images

Signatures

Mitigation Flags:

Sources:
https://www.sekoia.fr/blog/microsoft-edge-binary-injection-mitigation-overview/
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference#validate-image-dependency-integrity (Here loader integrity continuity is named Image Dependency Integrity)

Module Tampering Protection

Mitigation Flags:

Sources:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection

Side Channel

Mitigation Flags:

Sources:
https://software.intel.com/security-software-guidance/deep-dive/deep-dive-indirect-branch-restricted-speculation
https://msrc-blog.microsoft.com/2018/05/21/analysis-and-mitigation-of-speculative-store-bypass-cve-2018-3639/

Security Domain Isolation

Mitigation Flags:

Sources:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design

Export Address Filtering

Originally implemented by EMET and later added to Windows Defender.
Mitigation Flags:

Sources:
https://adsecurity.org/?p=2579

Import Address Filtering

Originally implemented by EMET and later added to Windows Defender.
Mitigation Flags:

Sources:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference#import-address-filtering-iaf

ROP and Stack Pivot

Originally implemented by EMET and later added to Windows Defender.
Mitigation Flags:

Sources:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference#simulate-execution-simexec

Disable Page Combine

Mitigation Flags:

Sources:
https://vulners.com/nessus/SMB_NT_MS16-092.NASL
https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-process_mitigation_side_channel_isolation_policy

CET

Mitigation Flags:

Sources:
https://windows-internals.com/cet-on-windows/ (Only documents some of those, as a lot were added very recently)

eXtended Control Flow Guard (XFG)

Mitigation Flags:

Sources:
https://connormcgarr.github.io/examining-xfg/
https://www.crowdstrike.com/blog/state-of-exploit-development-part-2/

Mitigation Flags Statistics

On my local Windows 10 RS5 there are 316 processes running at the time of the check.
Here is the number of processes that enable each mitigation policy:

Mitigation FlagNumber Of ProcessesExamples
ControlFlowGuardEnabled250chrome.exe, svchost.exe, lsass.exe
ControlFlowGuardExportSuppressionEnabled5vmcompute.exe, vmwp.exe, MicrosoftEdgeCP.exe
ControlFlowGuardStrict10svchost.exe, vmcompute.exe, vmwp.exe
DisallowStrippedImages26dllhost.exe, MicrosoftEdge.exe
ForceRelocateImages36dllhost.exe, MicrosoftEdge.exe, fontdrvhost.exe
HighEntropyASLREnabled281vmmem, svchost.exe
StackRandomizationDisabled5BCClipboard.exe, vcpkgsrv.exe
ExtensionPointDisable84chrome.exe, services.exe, svchost.exe
DisableDynamicCode25MicrosoftEdge.exe, chrome.exe, svchost.exe
DisableDynamicCodeAllowOptOut0
DisableDynamicCodeAllowRemoteDowngrade3MicrosoftEdge.exe, MicrosoftEdgeCP.exe
AuditDisableDynamicCode86svchost.exe, fintdrvhost.exe
DisallowWin32kSystemCalls65chrome.exe, vmmem, vmwp.exe
AuditDisallowWin32kSystemCalls61chrome.exe, vmmem, vmwp.exe
EnableFilteredWin32kAPIs4fontdrvhost.exe, MicrosoftEdgeSH.exe, MicrosoftEdgeCP.exe
AuditFilteredWin32kAPIs2MicrosoftEdgeSH.exe, MicrosoftEdgeCP.exe
DisableNonSystemFonts73chrome.exe, vmwp.exe
AuditNonSystemFontLoading6fontdrvhost.exe, spoolsv.exe
PreferSystem32Images9dllhost.exe, vmmem
ProhibitRemoteImageMap77chrome.exe, MicrosoftEdgeSH.exe, MicrosoftEdgeCP.exe
AuditProhibitRemoteImageMap3fontdrvhost.exe, spoolsv.exe
ProhibitLowILImageMap74chrome.exe, MicrosoftEdgeSH.exe, MicrosoftEdgeCP.exe
AuditProhibitLowILImageMap3fontdrvhost.exe, spoolsv.exe
SignatureMitigationOptIn79chrome.exe, MicrosoftEdgeSH.exe, MicrosoftEdgeCP.exe
AuditBlockNonMicrosoftBinaries86svchost.exe, fontdrvhost.exe
AuditBlockNonMicrosoftBinariesAllowStore0
LoaderIntegrityContinuityEnabled7dllhost.exe, MicrosoftEdgeSH.exe
AuditLoaderIntegrityContinuity7dllhost.exe, MicrosoftEdgeSH.exe
EnableModuleTamperingProtection3MicrosoftEdgeSH.exe, browser_broker.exe, RuntimeBroker.exe
EnableModuleTamperingProtectionNoInherit1browser_broker.exe
RestrictIndirectBranchPrediction64chrome.exe, MicrosoftEdgeSH.exe, MicrosoftEdgeCP.exe
IsolateSecurityDomain0
EnableExportAddressFilter0
AuditExportAddressFilter0
EnableExportAddressFilterPlus0
AuditExportAddressFilterPlus0
EnableRopStackPivot0
AuditRopStackPivot0
EnableRopCallerCheck0
AuditRopCallerCheck0
EnableRopSimExec0
AuditRopSimExec0
EnableImportAddressFilter0
AuditImportAddressFilter0
DisablePageCombine0
SpeculativeStoreBypassDisable1System