Files
Anthropic-Cybersecurity-Skills/skills/implementing-memory-protection-with-dep-aslr/SKILL.md
T
mukul975 efca3ec611 feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
2026-04-06 11:17:40 +02:00

3.9 KiB

name, description, domain, subdomain, tags, version, author, license, nist_csf
name description domain subdomain tags version author license nist_csf
implementing-memory-protection-with-dep-aslr Implements memory protection mechanisms including DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization), CFG (Control Flow Guard), and other exploit mitigations to prevent memory corruption attacks. Use when hardening endpoints against buffer overflow exploits, ROP chains, and code injection. Activates for requests involving memory protection, exploit mitigation, DEP, ASLR, or CFG configuration. cybersecurity endpoint-security
endpoint
memory-protection
DEP
ASLR
exploit-mitigation
CFG
1.0.0 mahipal Apache-2.0
PR.PS-01
PR.PS-02
DE.CM-01
PR.IR-01

Implementing Memory Protection with DEP and ASLR

When to Use

Use this skill when hardening endpoints against memory-based exploits by configuring DEP, ASLR, CFG, and Windows Exploit Protection system-wide and per-application mitigations.

Prerequisites

  • Windows 10/11 or Windows Server 2016+ with administrative privileges
  • Group Policy management access for enterprise-wide deployment
  • Understanding of memory corruption attack techniques (buffer overflow, ROP chains)
  • Test environment for validating application compatibility with exploit mitigations

Workflow

Step 1: Configure System-Level Mitigations

# Enable system-wide DEP (Data Execution Prevention)
# Boot configuration: OptIn (default), OptOut (recommended), AlwaysOn
bcdedit /set nx AlwaysOn

# Verify ASLR status (enabled by default on modern Windows)
Get-ProcessMitigation -System
# MandatoryASLR, BottomUpASLR, HighEntropyASLR should be ON

# Enable all system-level mitigations
Set-ProcessMitigation -System -Enable DEP,SEHOP,ForceRelocateImages,BottomUp,HighEntropy

Step 2: Configure Per-Application Mitigations

# Harden high-risk applications (browsers, Office, PDF readers)
Set-ProcessMitigation -Name "WINWORD.EXE" -Enable DEP,SEHOP,ForceRelocateImages,CFG,StrictHandle
Set-ProcessMitigation -Name "EXCEL.EXE" -Enable DEP,SEHOP,ForceRelocateImages,CFG,StrictHandle
Set-ProcessMitigation -Name "AcroRd32.exe" -Enable DEP,SEHOP,ForceRelocateImages,CFG
Set-ProcessMitigation -Name "chrome.exe" -Enable DEP,CFG,ForceRelocateImages
Set-ProcessMitigation -Name "msedge.exe" -Enable DEP,CFG,ForceRelocateImages

# Export configuration for deployment
Get-ProcessMitigation -RegistryConfigFilePath "C:\exploit_protection.xml"
# Deploy via Intune or GPO

Step 3: Deploy via Intune/GPO

Intune: Endpoint Security → Attack Surface Reduction → Exploit Protection
  Import exploit_protection.xml template

GPO: Computer Configuration → Admin Templates → Windows Components
  → Windows Defender Exploit Guard → Exploit Protection
  → "Use a common set of exploit protection settings" → Enabled
  → Point to XML file on network share

Key Concepts

Term Definition
DEP Marks memory pages as non-executable to prevent shellcode execution in data regions
ASLR Randomizes memory addresses of loaded modules to defeat hardcoded ROP gadgets
CFG Validates indirect call targets at runtime to prevent control flow hijacking
SEHOP Validates SEH chain integrity to prevent SEH-based exploitation

Tools & Systems

  • Windows Exploit Protection: Built-in per-process mitigation management
  • EMET (legacy): Enhanced Mitigation Experience Toolkit (predecessor, now deprecated)
  • ProcessMitigations PowerShell: Get/Set-ProcessMitigation cmdlets

Common Pitfalls

  • DEP compatibility: Legacy 32-bit applications may crash with DEP AlwaysOn. Use OptOut with exceptions.
  • Mandatory ASLR breaking apps: Some applications are not ASLR-compatible. Test before enforcing ForceRelocateImages.
  • CFG limited to compiled-in support: CFG only works for applications compiled with /guard:cf. Cannot be retroactively applied.