Like what you hear? Tweet it using: #Sec360 ... 2014/05/13 آ  Like what you hear? Tweet it using:...

download Like what you hear? Tweet it using: #Sec360 ... 2014/05/13 آ  Like what you hear? Tweet it using: #Sec360

of 34

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Like what you hear? Tweet it using: #Sec360 ... 2014/05/13 آ  Like what you hear? Tweet it using:...

  • Like what you hear? Tweet it using: #Sec360 5/13/2014


    Technical details


    Rolling out in a Corporate Environment


    Lessons Learned

    Tips for Maximum security settings


    Trademarks owned by their respective owners

  • WHY RUN EMET? Do you have top notch anti-malware?

    Are your PCs still being exploited? § No Anti-malware product is 100% effective § Zero-day exploits for IE / Flash / Adobe Reader / Java / etc…

    Would you like to improve your odds?


    Blocks “zero-day” malware exploits

    Supplements existing anti-malware

    Supported by Microsoft

    Uses group policy

    Minimal overhead

    But wait, there’s more…

    It’s FREE!!!

  • OK, WHAT IS EMET EMET: Enhanced Mitigation Experience Toolkit

    A free software package from Microsoft § Available since 2009 / officially supported since 2011 § Current version is 4.1 (& 5.0 preview)

    Blocks memory corruption /buffer overflow exploits § Example: it randomizes memory locations

    Low overhead: Uses the Application Compatibility Framework, rather than running as a program § No need to recompile applications

    Install on every workstation

  • WHY RUN EMET? Because Microsoft recommends it:

    4/26/2014 - Microsoft KB2963983 IE Vulnerability – “Workarounds […] Deploy the Enhanced Mitigation Experience Toolkit”

    3/24/2014 – Microsoft SRD2953095 Word Vulnerability – “our tests showed that EMET default configuration can block the exploits seen in the wild.”

    3/11/2014 – Microsoft MS14-012 IE Vulnerability – “Does EMET help mitigate attacks that could attempt to exploit these vulnerabilities? Yes.”

    7/28/2010 – Microsoft FF859539 IE Aurora Vulnerability – “EMET can help prevent successful exploitation on systems lacking the update.”

    … and it blocks many more for Flash / Adobe Reader / Java / etc…

  • WHERE IT WORKS BEST Workstations typically get infected in two ways:

    1.  Workstation has vulnerable software § E.g. Unpatched/zero-day Adobe, Java, Office, Browser Plug-ins § Users visit automated exploit web site, or open bad email document

    -> Install EMET

    2.  Users get tricked into running bad software §  Payroll.exe,,

    -> Train Users, EMET less effective

    * In addition to other mitigations such as anti-malware

  • TECHNICAL: PROTECTION OVERVIEW Three Types of Protection:

    1.  System Wide § Programs can be coded to opt-in or opt-out 2.  Per-Program § Enforces protection on specific programs 3.  Per-Web-Site § Alerts users to fraudulent SSL/TLS certificates

  • TECHNICAL: 1. SYSTEM-WIDE 1. System Wide Protections:

    DEP - Data Execution Prevention § Marks data (heap/stack) memory as non-executable § Requires support by the CPU (Intel=XD, AMD=NX) SEHOP – Exception Handling § OS walks exception chain to validate before using it ASLR – Address Randomization § Use different memory locations each boot

  • TECHNICAL: 1. SYSTEM-WIDE 1. System-Wide Protection Options: DEP / SEHOP/ASLR

    Always On – All programs will use

    Opt-Out – On except if program is written to opt-out

    Opt-In – Off except if program is written to opt-in

    Disabled – No programs will use

    Opt-In vs. Opt-Out depends on risk tolerance/resources

    Opt-In is the Microsoft recommendation § Less protection, but less compatibility issues

  • TECHNICAL: 2. PER-PROGRAM 2. Per-program Protection Options:

    Memory Protections: § DEP / Bottom-Up ASLR / Mandatory ASLR / Heap Spray (blocks

    common locations) / Null Page Return Oriented Programming (ROP): §  Load Library checks (no UNC DLL calls)/ Memory protection checks

    (disallow stack executable) / Caller Checks (critical functions only via “call” not “return”) / Stack Pivot (detect if stack pivoted)/ Simulate execution flow (detect ROP gadgets)

    Other: §  SEHOP / EAF (Export Address table Filtering - blocks API address

    lookup) /ASR (Attack Surface Reduction in v5.0, blocks specific plugins)

    Note: Any protection applied to a browser protects all its plug-ins too

  • TECHNICAL: 3. CERTIFICATE TRUST 3. Per-web-site (v4): Certificate Trust Pinning  Deters an attacker from using a compromised certificate vendor to

    intercept traffic (DigiNotar/Google) in IE § E.g. can only use DigiCert/Equifax/

    GeoTrust/Thawte/VeriSign certs § Config: MS / Yahoo / Skype / Twitter /Facebook § Might require maintenance with non-MS entries § Can specify expiration date, allow same country, etc.

    Only warns users, doesn’t block

    Not configurable by group policy



    Certificate Trust Pinning

    Certificate Authority must be: DigiCert/Equifax/GeoTrust/ Thawte/ VeriSign

    E.g. but not DigiNotar


    Install Microsoft .Net 4.0 (& KB 2790907 on Win 8/2012) Download EMET from

    Install §  It will ask if you want Recommended Settings §  If no configuration is done, EMET doesn’t protect



    Start GUI

    Settings §  System-Wide § Always On / App Opt-Out / App Opt-In / Disabled

    § Per-program § v3 / ROP / Mitigation Settings § Manually Adding

    § Web Certificate CA Pinning

  • …TESTING ON A PC Start up the GUI:

    Start Menu -> EMET -> EMET GUI

    Sample Test Settings:

    DEP: Opt In

    SEHOP: Opt In

    ASLR: Opt In

    Pinning: Enabled

  • …TESTING ON A PC Import per-Application & Cert Pinning Settings:

    Import -> Popular § Popular has more than


    Import -> CertTrust § Contains SSL/TLS certificate

    pinning rules for a few web sites

  • ROLLING OUT: PREP Download EMET (& .Net 4) §

    Extract Group Policy ADM* files §  msiexec /a "EMET Setup.msi" /qb TARGETDIR="c:\temp“

    §  (or copy from the EMET directory if EMET is already installed)

    Install Group Policy ADM* files §  Only needed on machines that will modify group policy §  Copy EMET.admx and EMET.adml in c:\temp\group policy files to \Windows

    \PolicyDefinitions (admx), \Windows\PolicyDefinitions\en-US (adml) §  Note: ADM* files different for each EMET version – use current ones


    Note: Create a test OU container for each department / drag and drop PC


    Note: Create a Group Policy Object, then link to each Test OU container


    Note: IE, Popular, and Recommended Software are not similar


    Include a shutdown script to apply the group policy: EMET_Conf --refresh

  • ROLLING OUT: SOFTWARE Roll out .Net 4.0 (& KB 2790907 on Win 8/2012)

    Roll out EMET using Group Policy or other method

  • TROUBLESHOOTING EMET notification: Popup Window

    OS Application log: § Office Plug-ins

    also produce an Application Error, search disk for the module

  • EMET V4 KNOWN ISSUES Group Policy settings don’t display properly in EMET GUI § Commands that will display them:

    emet-conf --list reg query HKLM\Software\Policies\Microsoft\EMET


    Certificate Trust Pinning limitations: § EMET Group Policy doesn’t contain those settings § Not available for the “Modern” IE app in Windows 8

    Review the included EMET User’s Guide and the EMET web forum for additional caveats

  • LESSONS LEARNED 1.  DEP breaks legacy applications § Roll out EMET to enterprise in phases §  Set the system-wide DEP: Opt-in, not Always-on § E.g. breaks end-of-life versions of Crystal Reports

    § Can individually configure workstations to opt-out of DEP for a specific application if you set DEP to Opt-in § Computer Properties / Advanced /Performance / DEP

    § Can use the free Microsoft Application Compatibility Toolkit to create a “shim” to roll out for the application to opt-out of 32-bit DEP § Compatibility Fix setting: “Disable NX”

  • LESSONS LEARNED 2.  Apply Group Policy settings before installing §  Settings didn’t always apply afterwards § Can get the settings to apply by adding a Group Policy shutdown

    script to run “emet_conf --refresh”

    3.  Uninstalling EMET doesn’t revert system-wide changes (DEP) § Revert system-wide changes then uninstall § Tools - Windows 7: bcdedit § P