Prints mitigation policy information for processes in a dump file.
-d [dump file] - specify dump file
-l - query current machine (must run elevated)
-k [target machine information] - live kernel debugging (Example: -k net:port:50000,key:1.1.1.1,target:1.2.3.4)
-e - Only print enabled mitigations for process
-m [mitigation,mitigation,...] - Only print processes where any of the requested mitigations are enabled
-ma [mitigation,mitigation,...] - Only print processes where all of the requested mitigations are enabled
Usage example:
MitigationFlagsCliTool.exe -d c:\temp\live3.dmp -ma DisallowWin32kSystemCalls -e
Will show all processes that have the DisallowWin32kSystemCalls mitigation enabled:
Current process name: MsMpEngCP.exe, pid: 2352
Mitigation Flags:
ControlFlowGuardEnabled
DisallowStrippedImages
ForceRelocateImages
HighEntropyASLREnabled
ExtensionPointDisable
DisallowWin32kSystemCalls
AuditDisallowWin32kSystemCalls
DisableNonSystemFonts
PreferSystem32Images
ProhibitRemoteImageMap
ProhibitLowILImageMap
SignatureMitigationOptIn
Current process name: vmwp.exe, pid: 4388
Mitigation Flags:
ControlFlowGuardEnabled
ControlFlowGuardExportSuppressionEnabled
ControlFlowGuardStrict
DisallowStrippedImages
ForceRelocateImages
HighEntropyASLREnabled
ExtensionPointDisable
DisableDynamicCode
AuditDisableDynamicCode
DisallowWin32kSystemCalls
AuditDisallowWin32kSystemCalls
DisableNonSystemFonts
PreferSystem32Images
ProhibitRemoteImageMap
ProhibitLowILImageMap
SignatureMitigationOptIn
Current process name: vmmem, pid: 1948
Mitigation Flags:
HighEntropyASLREnabled
DisallowWin32kSystemCalls
AuditDisallowWin32kSystemCalls
PreferSystem32Images
ProhibitRemoteImageMap
ProhibitLowILImageMap
Most of the mitigations shown here are documented in some form. Information about a lot of them can be found here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference
And information about how to enable and disable them is here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection
A lot of those mitigations are also explained in detail in the Windows Internals book.
Some sources give us more information about a specific mitigation class and the reasons it was implemeted:
Mitigation FLags:
- ControlFlowGuardEnabled
- ControlFlowGuardExportSuppressionEnabled
- ControlFlowGuardStrict
Sources:
https://documents.trendmicro.com/assets/wp/exploring-control-flow-guard-in-windows10.pdf
https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard
https://docs.microsoft.com/en-us/windows/win32/secbp/pe-metadata#export-suppression
Mitigation FLags:
- DisallowStrippedImages
- ForceRelocateImages
- HighEntropyASLREnabled
- StackRandomizationDisabled
Sources:
https://insights.sei.cmu.edu/cert/2018/08/when-aslr-is-not-really-aslr---the-case-of-incorrect-assumptions-and-bad-defaults.html
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference
https://msrc-blog.microsoft.com/2013/12/11/software-defense-mitigating-common-exploitation-techniques/
Mitigation Flags:
- ExtensionPointDisable
Sources:
https://resources.infosecinstitute.com/common-malware-persistence-mechanisms/#gref
Mitigation Flags:
- DisableDynamicCode
- DisableDynamicCodeAllowOptOut
- DisableDynamicCodeAllowRemoteDowngrade
- AuditDisableDynamicCode
Sources:
https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/
https://www.crowdstrike.com/blog/state-of-exploit-development-part-2/
Mitigation Flags:
- DisallowWin32kSystemCalls
- AuditDisallowWin32kSystemCalls
- EnableFilteredWin32kAPIs
- AuditFilteredWin32kAPIs
Sources:
https://googleprojectzero.blogspot.com/2016/11/breaking-chain.html
Mitigation Flags:
- DisableNonSystemFonts
- AuditNonSystemFontLoading
Mitigation Flags:
- PreferSystem32Images
- ProhibitRemoteImageMap
- AuditProhibitRemoteImageMap
- ProhibitLowILImageMap
- AuditProhibitLowILImageMap
Mitigation Flags:
- SignatureMitigationOptIn
- AuditBlockNonMicrosoftBinaries
- AuditBlockNonMicrosoftBinariesAllowStore
- LoaderIntegrityContinuityEnabled
- AuditLoaderIntegrityContinuity
Sources:
https://www.sekoia.fr/blog/microsoft-edge-binary-injection-mitigation-overview/
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference#validate-image-dependency-integrity (Here loader integrity continuity is named Image Dependency Integrity)
Mitigation Flags:
- EnableModuleTamperingProtection
- EnableModuleTamperingProtectionNoInherit
Mitigation Flags:
- RestrictIndirectBranchPrediction
- SpeculativeStoreBypassDisable
Sources:
https://software.intel.com/security-software-guidance/deep-dive/deep-dive-indirect-branch-restricted-speculation
https://msrc-blog.microsoft.com/2018/05/21/analysis-and-mitigation-of-speculative-store-bypass-cve-2018-3639/
Mitigation Flags:
- IsolateSecurityDomain
Originally implemented by EMET and later added to Windows Defender.
Mitigation Flags:
- EnableExportAddressFilter
- AuditExportAddressFilter
- EnableExportAddressFilterPlus
- AuditExportAddressFilterPlus
Sources:
https://adsecurity.org/?p=2579
Originally implemented by EMET and later added to Windows Defender.
Mitigation Flags:
- EnableImportAddressFilter
- AuditImportAddressFilter
Originally implemented by EMET and later added to Windows Defender.
Mitigation Flags:
- EnableRopStackPivot
- AuditRopStackPivot
- EnableRopCallerCheck
- AuditRopCallerCheck
- EnableRopSimExec
- AuditRopSimExec
Mitigation Flags:
- DisablePageCombine
Sources:
https://vulners.com/nessus/SMB_NT_MS16-092.NASL
https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-process_mitigation_side_channel_isolation_policy
Mitigation Flags:
- CetUserShadowStacks
- AuditCetUserShadowStacks
- AuditCetUserShadowStacksLogged
- UserCetSetContextIpValidation
- AuditUserCetSetContextIpValidation
- AuditUserCetSetContextIpValidationLogged
- CetUserShadowStacksStrictMode
- BlockNonCetBinaries
- BlockNonCetBinariesNonEhcont
- AuditBlockNonCetBinaries
- AuditBlockNonCetBinariesLogged
- PointerAuthUserIp
- AuditPointerAuthUserIp
- AuditPointerAuthUserIpLogged
- CetDynamicApisOutOfProcOnly
- UserCetSetContextIpValidationRelaxedMode
Sources:
https://windows-internals.com/cet-on-windows/ (Only documents some of those, as a lot were added very recently)
Mitigation Flags:
- XtendedControlFlowGuard
- AuditXtendedControlFlowGuard
Sources:
https://connormcgarr.github.io/examining-xfg/
https://www.crowdstrike.com/blog/state-of-exploit-development-part-2/
On my local Windows 10 RS5 there are 316 processes running at the time of the check.
Here is the number of processes that enable each mitigation policy:
| Mitigation Flag | Number Of Processes | Examples |
|---|---|---|
| ControlFlowGuardEnabled | 250 | chrome.exe, svchost.exe, lsass.exe |
| ControlFlowGuardExportSuppressionEnabled | 5 | vmcompute.exe, vmwp.exe, MicrosoftEdgeCP.exe |
| ControlFlowGuardStrict | 10 | svchost.exe, vmcompute.exe, vmwp.exe |
| DisallowStrippedImages | 26 | dllhost.exe, MicrosoftEdge.exe |
| ForceRelocateImages | 36 | dllhost.exe, MicrosoftEdge.exe, fontdrvhost.exe |
| HighEntropyASLREnabled | 281 | vmmem, svchost.exe |
| StackRandomizationDisabled | 5 | BCClipboard.exe, vcpkgsrv.exe |
| ExtensionPointDisable | 84 | chrome.exe, services.exe, svchost.exe |
| DisableDynamicCode | 25 | MicrosoftEdge.exe, chrome.exe, svchost.exe |
| DisableDynamicCodeAllowOptOut | 0 | |
| DisableDynamicCodeAllowRemoteDowngrade | 3 | MicrosoftEdge.exe, MicrosoftEdgeCP.exe |
| AuditDisableDynamicCode | 86 | svchost.exe, fintdrvhost.exe |
| DisallowWin32kSystemCalls | 65 | chrome.exe, vmmem, vmwp.exe |
| AuditDisallowWin32kSystemCalls | 61 | chrome.exe, vmmem, vmwp.exe |
| EnableFilteredWin32kAPIs | 4 | fontdrvhost.exe, MicrosoftEdgeSH.exe, MicrosoftEdgeCP.exe |
| AuditFilteredWin32kAPIs | 2 | MicrosoftEdgeSH.exe, MicrosoftEdgeCP.exe |
| DisableNonSystemFonts | 73 | chrome.exe, vmwp.exe |
| AuditNonSystemFontLoading | 6 | fontdrvhost.exe, spoolsv.exe |
| PreferSystem32Images | 9 | dllhost.exe, vmmem |
| ProhibitRemoteImageMap | 77 | chrome.exe, MicrosoftEdgeSH.exe, MicrosoftEdgeCP.exe |
| AuditProhibitRemoteImageMap | 3 | fontdrvhost.exe, spoolsv.exe |
| ProhibitLowILImageMap | 74 | chrome.exe, MicrosoftEdgeSH.exe, MicrosoftEdgeCP.exe |
| AuditProhibitLowILImageMap | 3 | fontdrvhost.exe, spoolsv.exe |
| SignatureMitigationOptIn | 79 | chrome.exe, MicrosoftEdgeSH.exe, MicrosoftEdgeCP.exe |
| AuditBlockNonMicrosoftBinaries | 86 | svchost.exe, fontdrvhost.exe |
| AuditBlockNonMicrosoftBinariesAllowStore | 0 | |
| LoaderIntegrityContinuityEnabled | 7 | dllhost.exe, MicrosoftEdgeSH.exe |
| AuditLoaderIntegrityContinuity | 7 | dllhost.exe, MicrosoftEdgeSH.exe |
| EnableModuleTamperingProtection | 3 | MicrosoftEdgeSH.exe, browser_broker.exe, RuntimeBroker.exe |
| EnableModuleTamperingProtectionNoInherit | 1 | browser_broker.exe |
| RestrictIndirectBranchPrediction | 64 | chrome.exe, MicrosoftEdgeSH.exe, MicrosoftEdgeCP.exe |
| IsolateSecurityDomain | 0 | |
| EnableExportAddressFilter | 0 | |
| AuditExportAddressFilter | 0 | |
| EnableExportAddressFilterPlus | 0 | |
| AuditExportAddressFilterPlus | 0 | |
| EnableRopStackPivot | 0 | |
| AuditRopStackPivot | 0 | |
| EnableRopCallerCheck | 0 | |
| AuditRopCallerCheck | 0 | |
| EnableRopSimExec | 0 | |
| AuditRopSimExec | 0 | |
| EnableImportAddressFilter | 0 | |
| AuditImportAddressFilter | 0 | |
| DisablePageCombine | 0 | |
| SpeculativeStoreBypassDisable | 1 | System |
- Export address filter, import address filter and ROP mitigations are not enabled by default for any process and need to be enabled manually through Windows Defender
- CET mitigations are not shown here because current hardware doesn't support CET yet so enabling the flags will have no effect at this point
- XFG is not shown because it does not exist on Windows 10 RS5