I’m the Handler for today at the Storm Center. I have a great post on getting OSSEC and AppLocker working. Stop by and check it out.
Responding to incidents in an efficient manner is critical for all CIRTS. This paper presents a new open
source tool for the enterprise. With this tool, responders will be able to detect incidents using aggregated
data collected from hosts and applying anomaly detection. OHIDS includes a sensitive data finder to allow
appropriate escalation of the incident. This software can be utilized in a proactive manner by removing SSNs
and credit card data before incidents occur or by detecting unauthorized software running.
I’ve had great response with the EMET post and had a couple of issues to follow up on.
How did you get SEHOPS to be Always on?
The system I was running when taking the screen shots was Vista 64-bit and apparently this is a Vista only option. On windows 7, by default, you have only “Application Opt in and Application Opt Out”. I did some testing on this and used process monitor to determine what registry key was being changed on the systems.
disabled is 1 and always on is 0
This is the same key on both Windows 7 and Vista, so this must be controlled at a deeper level then we can directly interact with.
Lsass and Spooler Crashing on Boot.
Rationallyparanoid has several great posts about EMET. They mentioned adding LSASS.exe and Spooler.exe to the protected applications. This worked on older versions of Emet, but I’m having crash issues on Vista 64-bit SP2 with 2.1. I have removed the BottomUPRand and EAF and it appears to fix the instability issues on these applications. Windows 7 64-bit does not seem to be experiencing this issue.
If you have not used Microsoft EMET and your in charge of managing or securing Windows PC’s then you need to start looking at it. In short, EMET uses a number of techniques (DEP, ASLR, HeapSpray prevention ect…) to make it much more difficult to exploit an application. The latest versions allows you to import and export a xml file to make it easy to deploy. There is still no direct management from GPO, but this new update makes it very easy.
(UPDATE) Scripts posted to dropbox due to weirdness (Formatting and omissions of partial lines) . You can get them here config.xml and emet_network.vbs.
Step 1 Testing your applications for Compatibility
While EMET does some cool tricks to prevent exploitation of applications, it can cause some stabilitity issues. I’ve been running it for a while and have not had any issues with applications. You will want to add any application that the user directly interacts with untrusted networks or with files received from untrusted network. Adding an application to be protected can be done from the GUI or the console. Startup the GUI and Select configure Apps.
Once you have selected the application, you can then change what security settings you want applied. The default is to include all and I would leave it that way unless you run into issues. To troubleshoot, clear all the settings for an app and start by adding each protecting until you crash the application. Leave that one protection unselected.
Step 2 Export your Settings
By default EMET is installed at C:\Program Files (x86)\EMET\. You will need to run the command-line version of the tool (as Admin)to export your settings.
Select Start -> Accessors -> and right click on Command Prompt and select “Run as Administrator”
>cd "C:\Program Files (x86)\EMET\" >emet_config.exe --export config.xml
I have included a version of a EMET Config
below (Available to download due to WordPress issues posting the code) . It list both 32 and 64 bit versions of Office version 12 and 14, Firefox, IE, Itunes and others…
Step 3 Copy Emet to Network drive
Emet does come as a MSI file, but you do not need to install it on every computer to make these changes. Just copy the entire C:\Program Files (x86)\EMET\ along with your config file to a network share that all users can access.
Step 4 Deploy Script
I wrote a script (Available to download due to WordPress issues posting the code) to import the settings because I wanted to add Google Chrome to the protected list. Chrome is installed under each user directory, so you have to dynamically generate its setting to work properly. (The current version does not support system variables). If you are not using chrome, then you can reduce the complexity of the script to just run the import from the network config file. The script only needs to be run once for each user, and then only when you update the config file. A typical deployment would have the script run at login via GPO or setup a scheduled task for the user.
To get the script to work in your environment you will need to make changes to the variables at the top of the script.
The basics steps of the script are:
- Download the xml file to local tmp drive
- Add Google chrome to the XML
- Run Emet from the network to import local xml file.