Windows IR

Mapping Attack Methodology to Controls

Posted on Updated on

I’m handler for today and I’ve got a post up about mapping controls.  One of the key points is to make sure you do this for each attach method you respond too.


AppLocker and OSSEC 2.8

Posted on

I’m the Handler for today at the Storm Center. I have a great post on getting OSSEC and AppLocker working.  Stop by and check it out.

Monitoring Windows Event Logs (Part 1)

Posted on

I’m ISC Handler today and I’ve got a great post on how to use syslog to monitor important Windows event logs. This will have multiple parts as it will go deeper into special config.


Posted on

My SANS GCIA gold paper has been published! It was a lot of work, but I’m very excited about it.  You can get the paper here and the software here.


Responding to incidents in an efficient manner is critical for all CIRTS. This paper presents a new open
source tool for the enterprise. With this tool, responders will be able to detect incidents using aggregated
data collected from hosts and applying anomaly detection. OHIDS includes a sensitive data finder to allow
appropriate escalation of the incident. This software can be utilized in a proactive manner by removing SSNs
and credit card data before incidents occur or by detecting unauthorized software running.


EMET and IE 0 day ie_execcommand_uaf

Posted on Updated on

Update: Microsoft has issued a “Fix it” for this issue. A offical patch should be in place tomorrow 21-Sept-2012.

A new IE zero-day is out and is available from Metasploit.  I needed to find out if EMET would protect against this. My two platforms I tested on were Windows 7 (Full patched) and Windows XP SP3 (fresh install) with IE 7.  I tested EMET 3.0 and EMET 2.1 to make sure that both versions prevented the exploit.

The Metasploit exploit worked flawlessly on Windows 7. I then enabled EMET and added the IE executable to the protected programs.  With both versions of EMET  prevented the exploit. The odd thing is that EMET 3.0 is suppose to generate a pop-up and create an event log when it catches an exploit. It did not notify me during any of my tests. On Windows XP SP3 with IE 7, as expected, the exploit worked when EMET was not configured. Once setup to protect IE, the exploit failed to run.

While having individual users at home switch to another browser (e.g. Chrome) make sense, for large cooperate environments deploying EMET will give you a stop gap for many of the exploits that we see.

Emet 2.1 Follow-Up

Posted on

I’ve had great response with the EMET post and had a couple of issues to follow up on.

How did you get SEHOPS  to be Always on?

The system I was running when taking the screen shots was Vista 64-bit and apparently this is a Vista only option. On windows 7, by default, you have only “Application Opt in and Application Opt Out”.  I did some testing on this and used process monitor to determine what registry key was being changed on the systems.

HKLM\System\CurrentControlSet\Control\SESSION MANAGER\kernel\DisableExceptionChainValidation
disabled is 1  and  always on is 0

This is the same key on both Windows 7 and Vista, so this must be controlled at a deeper level then we can directly interact with.

Lsass and Spooler Crashing  on Boot.

Rationallyparanoid has several great posts about EMET. They mentioned adding LSASS.exe and Spooler.exe to the protected applications. This worked on older versions of Emet, but I’m having crash issues on Vista 64-bit SP2 with 2.1. I have  removed the BottomUPRand and EAF and it appears to fix the instability issues on these applications.  Windows 7 64-bit does not seem to be experiencing this issue.

EMET 2.1 Deployment

Posted on Updated on

If you have not used Microsoft EMET and your in charge of managing or securing Windows PC’s then you need to start looking at it. In short, EMET uses a number of techniques (DEP, ASLR, HeapSpray prevention ect…) to make it much more difficult to exploit an application.  The latest versions allows you to import and export a xml file to make it easy to deploy. There is still no direct management from GPO, but this new update makes it very easy.

(UPDATE) Scripts posted to dropbox due to weirdness (Formatting and omissions of partial lines) . You can get them here config.xml  and  emet_network.vbs.



Step 1 Testing your applications for Compatibility

While EMET does some cool tricks to prevent exploitation of applications, it can cause some stabilitity issues.  I’ve been running it for a while and have not had any issues with applications.  You will want to add any application that the user directly interacts with untrusted networks or with files received from untrusted network. Adding an application to be protected can be done from the GUI or the console. Startup the GUI  and Select configure Apps.

Then select add and then browse to the desired location.

Once you have selected the application, you can then change what security settings you want applied. The default is to include all and I would leave it that way unless you run into issues. To troubleshoot, clear all the settings for an app and start by adding each protecting until you crash the application. Leave that one protection unselected.

Step 2 Export your Settings

By default EMET is installed at C:\Program Files (x86)\EMET\.  You will need to run the command-line version  of the tool  (as Admin)to export your settings.

Select Start -> Accessors -> and right click on Command Prompt and select “Run as Administrator”

>cd "C:\Program Files (x86)\EMET\"
>emet_config.exe --export config.xml

I have included a version of a EMET Config  below (Available to download due to WordPress issues posting the code) .  It list both 32 and 64 bit versions of Office version 12 and 14, Firefox, IE, Itunes and others…

Step 3 Copy Emet to Network drive

Emet does come as a MSI file, but you do not need to install it on every computer to make these changes. Just copy the entire C:\Program Files (x86)\EMET\ along with your config file to a network share that all users can access.

Step 4 Deploy Script

I wrote a script  (Available to download due to WordPress issues posting the code) to import the settings because I wanted to add Google Chrome to the protected list. Chrome is installed under each user directory, so you have to dynamically generate its setting to work properly. (The current version does not support system variables). If you are not using chrome, then you can reduce the complexity of the script to just run the import from the network config file.  The script only needs to be run once for each user,  and then only when you update the config file. A typical deployment would have the script run at login via GPO or setup a scheduled task for the user.

To get the script to work in your environment you will need to make changes to the variables at the top of the script.

The basics steps of the script are:

  1. Download the xml file to local tmp drive
  2. Add Google chrome to the XML
  3. Run Emet from the network to import local xml file.