TrustedSec is a big fan of The Enhance Mitigation Experience Toolkit (EMET). If you haven’t already read up on the features, functionality, and huge benefits it adds towards strengthening security on servers and workstations, check out the previous two blog posts:
A quick summary of EMET, it’s a free tool provided by Microsoft which allows you to add additional checks and memory analysis of running processes in order to protect against things like zero days, exploits, certificate pinning (trusts), and more. Traditional exploit methods rely on several predefined behaviors (not always but mostly), EMET puts in a lot of checks and preventative measures in stopping these types of attacks in memory and remove the ability for remote code execution (RCE) to occur. An example on how EMET can work and wouldn’t work would be the following:
A working example of EMET can be found in the latest Internet Explorer exploit (MS13-009). An integer overflow exists inside vgx.dll and due to the handling of dashstyle.array lengths for vml which causes the bug. The exploit itself uses a common technique for bypassing Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), and more. The technique used in this attack uses a combination of a technique called a heap spray and return oriented programming (ROP) gadgets built on Java Runtime Environments (JRE6). The way EMET protects against this is through several techniques, the first is ROP mitigation attacks. In a ROP exploit, an attacker will use a series of returns already pieced together in memory (and not affected by ASLR) to put together a “gadget” which allows the ability to execute remote code (Overview NX). EMET works on a process by process basis and can monitor these type of techniques and stop the execution from occurring (if configured properly, more on that later).
The second method of prevention is the heap protection aspects which pre-allocate popular portions of memory that are commonly used by attackers. When jumping to your NOP slide and shellcode it isn’t there and the exploit isn’t successful. These two examples alone have the ability to prevent the exploit from functioning properly and eliminating the threat.
An example where EMET would not work would be a sandbox escape attack in something like Java. Most recently, the Java Applet ProviderSkeleton Insecure Invoke Method exploit was released within Metasploit. In this example, this is a flaw within how Java is designed and not using traditional in memory attacks. Instead this attack exploits an insecure invoke method inside the ProviderSkeleton class in Java update 21 and earlier. Since this isn’t a traditional exploit method, something like EMET wouldn’t save you from this type of attack. Something to be aware of, and something you should definitely be analyzing from what’s in the public.
One word of caution, EMET isn’t a 100 percent method for preventative measures. Older versions had known bypass techniques, however the capabilities you get with EMET drastically increase the ability to withstand traditional exploits and relatively easily to deploy. On that note, let’s get into the installation of EMET 4.1.
First, you will need to download EMET 4.1 which can be downloaded from here: http://www.microsoft.com/en-us/download/details.aspx?id=41138. Select the MSI file below:
This will download an MSI file which you can deploy systems. Conversely you could also deploy the MSI files through group policy on a much larger deployment. EMET does support group policy add-ons and can be centrally management through Active Directory. Note there is also a larger PDF that contains more information about EMET 4.1.
Double click on the MSI file and follow the steps to install.
Next, select the “use recommended settings” and finish the installation.
Installation should finish below:
Go to your start menu and locate the newly installed “EMET GUI”. Open up the EMET GUI and get into the main console. The way EMET works is by running processes and protecting those processes.
First, once inside the GUI, in the middle there’s a Quick Profile Name, select the drop down and select “Maximum security settings”. Then in the same GUI menu on the left hand side, select “Import”:
Then select “Popular Software”:
The popular software xml contains a few applications like 7-Zip, mIRC, Realplayer, VLC, WinZip, Chrome, Google Talk, Office, Live Essentials 2012, Lync Communicator, Skype, Windows Media Player, Wordpad, Adobe, Java, and Internet Explorer. Note that this is just a standard best practices for software that has been previously configured. When deploying this to a large scale enterprise, you will want to modify this XML file and add appropriate executables to protect in your environment. EMET will NOT protect against things that are not already defined in the XML. Note that all applications on the operating system will have default mitigation scenarios placed on them if they are in %APPDATA%, %ProgramFiles(x86)%, %ProframFiles%, %Windir%, and %LOCALAPPDATA%.
Next once that is configured, go to the main GUI menu and check to ensure that all of the protection mechanisms are set to “Always On”.
If not, then select the drop down menu and select “Always On”, and select the always on feature.
Lastly, from the main menu, select the “Apps” button on the top middle of the GUI and once in the main screen, ensure “deep hooks” is specified to on. Also, take a look at the application list and start to build your XML list with things that aren’t already included in the protection list.
Next, if we want to integrate this within group policy, there are admx files that are included under your program filesEMETDeploymentGroup Policy folder. You need to copy the .admx files to your SYSTEMDRIVEWindowsPolicyDefinitions folder and the .adml files to SYSTEMDRIVEWindowsPolicyDefinitionsen-US. When you move them there you can get to the policies through Computer Configuration -> Administrative Templates -> Windows -> Components -> EMET GPO. Below is a screenshot of what options you have available:
Once you’ve configured everything, there’s one last step you want to do, in the main menu area shown in the first image on the very top of this post, you will notice on the right hand side “Running EMET” in the Running Processes tab. Scroll through the applications that are listed there and ensure you have the major ones covered. For example, Excel, Adobe, etc. If there isn’t a green “Running EMET”, right click on it, and select “configure”. Once there, you can go back to that menu and it should now be green and protected by EMET.
That is it! You should have EMET configured and ready to go.
Author: David Kennedy
Security expert, keynote speaker, avid gamer and the go-to for protecting companies from threats.