Microsoft EMET Overview and Demonstration

okay so my name is kevin and we're here to talk about uh microsoft independent um is anyone out there running emmett in their environment right i'm done here okay good so for those of you who are running it you know the goodness for those of you uh who aren't i'm going to tell you the goodness and hopefully this can help you out so we'll go through who i am the problem the solution a solution anyway um some features and mitigations inside of hemet maybe some downsides to run into it i've run into with it uh deployment targets a little demo if we have time i'm actually going to show you how what the thing looks like and how it works

and then we'll do a summary and some q a so uh my name is kevin ginousso i'm the senior security architect at dick's sporting goods um i'm in advanced persistent pittsburgher been here my whole life um i landed my first i.t security job in 1998 after a post-interview pen test and uh it sounds cooler than it really is remember back in the 90s you could sneeze on something and knock it over and get root so what happened was i had an interview i really really wanted this job and uh i asked the guy at the end of the interview hey do you mind if i just take a look at your network uh whenever i get home tonight he was like

oh yeah sure that'd be great i was like okay could you sign this thing that says i'm allowed to do that he signed it he was cool with it you know the next day he came in opened up his computer and there was a little uh txt file sitting on his desktop that said hey brad open me and he opened it up and i said dude you got some firewall problems this is windows 98 very simple to break into windows 98 when it's not behind a firewall and uh he called me that day uh and i got the job the following so and uh three times besides pittsburgh speaker thank you so much for having me back again guys

and you know give these guys a hand for what they do to put this thing on it's a lot of work and uh really good stuff all right let's get into it so the problem well one one of the big problems is that patching is hard okay uh the need to test patches slows the defenders down and then you got the non-microsoft vendors that don't make it easy to patch uh things like flash and java et cetera and then you got applications that depend on legacy code and java is notorious for that right everybody's got the does anybody have an application in their environment that requires java like old ancient versions of java from like

yeah the 90s exactly so that's a big problem you can't just tell the business no you can't run that anymore because the the underlying engine that makes it go stinks you know so you have to accommodate for them um but you got to wonder why they're still doing this too microsoft is actually flagging the ask toolbar as malware now so oracle is installing malware on your machine when you go to install java just so everybody knows the other problem is the attackers are fast right when it comes down to it they can crank out uh exploit code faster than you can patch for it uh a public ms-14064 exploit came out two days after the patch

okay but it was already being exploited in the wild it just made it easy for everybody to run that exploit uh and then somebody mentioned exploit kits earlier today exploit kits are you know you can buy them on the dark web you know go go get yourself some magic internet money also known as bitcoin and you can go on the dark web and buy yourself an exploit kit and oh look at you now you're a hacker yay so we have to defend against this crap um and kaspersky and cisco uh both agree that 95 of all attacks target java adobe products internet explorer or microsoft office that's 95 of the attacks and actually 91 of those

are java so obviously we have a problem so emmett is a potential solution for that uh it stands for the enhanced mitigation experience toolkit it's a microsoft product since 2009. this thing's been around for a while um it's freezing beer freeze and b-sides uh provides advanced protection against known and unknown threats and it's the unknown threats that's interesting right we don't need a signature to protect something with emmett um and there was only one cash prize for it was 150 grand that went unclaimed at pawn to own uh 2014 and it was internet explorer 11 secured with emmett that's 150 grand there's a lot of hackers want that money and they couldn't get it because of emmett

uh and also dave kennedy uh approves this you'll hear him talk about emmett at any of his talks if you don't know who dave kennedy is very well respected pen tester in the industry one of the best and uh he approves it and see he's giving a thumbs up he approves it uh so some emmett features let's talk about that a little bit it's user defined on a per application basis so you choose what you want to protect and and you pick it on on a per per application basis out of the box it's going to do all of those commonly attack uh pieces of software that we talked about um it's your internet explorer

microsoft office jre not the ask toolbar and adobe acrobat and reader it's regularly updated um emmett 5.1 came out in november of last year 5.2 is the latest version came out in march of this year so microsoft is actively working on this and improving it um all versions of windows are supported uh up to the 5.x version even xp was supported and uh the mitigations are limited on server 2003 but you're getting rid of that anyway right yeah of course you are of course you're nobody's gonna have that laying around and uh it's not signature based uh which is fantastic i don't know if my little video is gonna work but uh golf club golf club

right yeah so no signatures are a good thing um so now we're gonna get into each of the specific mitigations uh that emmett brings to the table s-e-hop or structured exception handler overwrite production this is buffer overflow heat protection um so this is watching buffers and making sure that things aren't jumping uh overflowing a buffer and then executing code uh dep i've heard this mentioned a few times today data execution prevention so it used to be that applications could build in support for dep um now with emmett emmett enforces dep on any application application doesn't have to be compiled for it um so that's good it's application agnostic uh it marks the stack uh and the heap as

non-executable so you're not gonna be able to run shell code out of the stack and the attacks are actually blocked at the cpu level um so very very uh early on these attacks get blocked heap spray allocation so this is essentially preventing an attacker from taking their shell code and spraying it to multiple locations in memory and that's a common technique because the attacker doesn't necessarily know where their pointers gonna end up so they try to put in many as many places in memory as possible and uh this particular mitigation uh prevents them from being able to do that mandatory aslr aslr is address space space location randomization so again you ran randomizing the address space that's

allocated to a process and it makes memory locations less predictable if memory locations are less predictable i'm gonna have a harder time getting my exploit exploit code to run sorry about time uh eaf and eaf plus they list these as two separate things but they're really all part of the same uh family of uh of mitigations this is export address table access so what what this prevents is the attacker from using internal window system calls to actually execute an attack um so system apis become unavailable to the attacker which is helpful for a defender because now you're not giving the attacker the tools they need to get their job done bottom-up randomization is very similar

to aslr just goes the other direction from the bottom of the stack up for whatever processes are spinning up that way rot mitigations rob is uh return oriented programming um so again where you're looking for a pointer to return to a certain spot and execute code uh it does there's a number of mitigations here but uh the idea is uh we're preventing code from being executed from the stack and some of the rot mitigations are 30 32-bit only so if you on the modern age of 64-bit systems some of them aren't actually there not yet anyway microsoft is definitely working on that asr attack surface reduction so this is a a very slick uh thing this solves the

java problem okay so what this lets you say is well only stuff in my trusted sites can run java or only stuff on the internal network can run java on the outside world you don't run java ever but if you put something in trusted sites that's on the outside world now can run java so that's your fix for having old crappy versions of java laying around that you only you need for specific internal applications which you don't need for anything else um you can also do things like microsoft word can't call adobe flash why would it you don't need that right uh and they just added support for visual basic uh so you could say uh things like

visual basic scripts only run internally very very helpful feature right there uh control flow guard is a brand new thing uh it's in emit 5.2 and it's a new feature in visual basic studio 2015 uh that helps prevent code hijacking the application must be compiled to support it and it's only supported on windows 8.1 or higher and certificate pinning is one of the last ones so this is uh uh the type of thing where you could actually give your emmet clients certificates for essential systems so uh the vpn for example you actually give it the certificate and say this is the certificate that you should see when you connected a vpn if you don't see that don't even bother

connecting and so that helps with man in the middle attacks and and that sort of stuff that's emit mitigations that's a lot of technical terms in a short amount of time anybody have questions okay so some downsides it's not a panacea uh it's been bypassed uh 5.0 versions have all been bypassed the 4.x version has been been uh bypassed and it doesn't protect everything by default you actually have to configure it for the things that you want to protect so you know it's not a perfect solution it's a solution to the problem uh it requires some heavy pre-deployment testing um some of the things that you'll see at break are like uh the adobe reader plug-in certain versions of

adobe reader that can break uh java applications not so much but uh the adobe flash occasionally good with java it's good with uh microsoft word and internet explorer and that kind of stuff so you know you just have to do a lot of testing before you just go rolling this out to the world um it has some limited gpo settings uh this is better controlled uh by putting the configuration file out on a file share and then having you know whenever your machine logs into the network the first thing it does is go check that file share see if there's a new xml file sitting out there if there is pull it down if if not just let it go um it's a little

bit kludgy from that point of view uh but i imagine that microsoft is working on on the group policy side uh to try to have this be more centrally pushed um and then the other bummer is there's no central reporting uh so you either have the option to write to the uh event log or display to the user hey you almost got popped and that's not super helpful you'd like to have that end up in a central repository somewhere if you had some something running on the endpoint that's doing log collection and forwarding it does go to the event log you can look for that specific event log and then collect it that way some deployment targets obviously your

end user workstations but then think about things like citrix servers which are essentially end user workstations um point of sale systems atms uh any server that acts as like a jump server or a bastion host something that people may occasionally fire up internet explorer on even though it's a server they'll do it if they can um other high value servers but not domain controllers microsoft highly recommends against deploying emmet on domain controllers just because there's a lot of things going on in there and you shouldn't be surfing the internet from a domain controller anyway right let's hope anyway okay i think there's gonna be some time for a demo so let's do it uh the setup is uh

two virtual machines one jerk figure out who the jerk is uh the first vm will be the ibub it's the intentionally broken and unpatched box okay it's a windows 7 uh uh 64-bit machine missing uh ms-14064 and a whole pile of other patches but that's the one that we're actually gonna be testing uh has an ancient uh version of java on there uh circa 2011 prehistoric adobe reader uh 8.1 from many many moons ago the user's running his local admin and we've disabled antivirus this is your nightmare box right you don't ever want to see this thing on your network you don't want to be anywhere near it um and then the second vm uh is just the latest kali linux running

metasploit uh so the plan we'll do uh before and after uh photos we'll own the ibub via known exploits then we'll install emmett on the windows box and attempt to reown it okay wish me luck it's demo time that's a fine question sir that's that's the question every year all right let me just uh set up metasploit here

see you can see that windows is so upset about life he's like uh you might want to do something about your antivirus i can show you that there's no patches installed here but i mean it's it's it's really i promise you it's true okay so this first one this is the uh ms-14064 olay code execution this is a very reliable exploit um works like a champ every time and it works uh they have modules in there for powerpoint and for uh internet explorer and the powerpoint one it was interesting whenever they released the ms14064 uh patch microsoft actually included a code snippet in the bulletin that says hey if you're running emmet here's what you can do in the meantime to protect

yourself um so that's that's very helpful okay so we are now running our nasty server we don't care about google let's do ten okay so this is my evil box oh yeah my box wants to run powershell yes all day every day please that there's a key interpreter session one can you guys see that so there we go that means that uh we assem essentially have a shell on the uh on the ibub which was expected so let's do our java exploit another extremely uh uh reliable exploit in metasploit for java this will work every single time against ancient versions of java like the one that i'm running here and the one that everybody's running in their environment

let's go to port 8080. hmm it's doing something wheels are spinning that's weird oh no interpreter session two open not good so as expected we popped the box and now i'm just gonna set up a um interpreter handler for the third one and this one is uh so that's two web-based kind of drive-by web type attacks that you'd see in the world um this one is uh kind of a demo of uh fishing land where user gets a pdf it says hey man i'm completely not evil and so they just double click the heck out of it and it does some things yeah save that yeah i love it oh yes let's see uh you can't

see the error message it's a very funny error message it's like to view the encrypted content please click the do not show this message again hey i should do that but i'm just going to open it up that's a weird pdf it doesn't really look like anything oh no interpreter session three okay so there's your ibub that's that's what it looks like um this guy can be uh compromised all kinds of different ways so let's install emmett and see what happens it's just your typical msi nothing special we'll do all the defaults we're just going to we're not going to do any customization whatsoever we're going to do out of the box how does it look

not signed i guess that's unfortunate

so they will support you if you're running emmett uh as far as deployment uh like how to do it yeah i mean for their for their own stuff it's it's actually um pretty lightweight like that i haven't seen any problems with things like uh internet explorer or you know any of the the microsoft applications seem to behave okay with it um it's it's like whenever you start getting into like if you want to protect other plug-ins and that kind of stuff and if there was a third party microsoft's not going to give you a ton of support on it so it's really you kind of have to you know just play around with it yourself

we have not i'll repeat the question has anybody running emmet had to contact microsoft about an issue that was due to emmett any issues

yeah yeah exactly all right let me try to bring up the console here let's see if this is going to be friendly enough

okay that gives you that gives you an idea um so you can actually go in here and look at the applications themselves and each one of these columns is a different family of mitigations okay so you can see acrobat acro read these are all the defined applications that we're protecting and then the various mitigations that are being applied to those applications um and if you look at uh show full path so you actually have to define where this thing's uh where the application's running out of um but the cool thing is that you can use wild cards um so you know it doesn't have to be a perfect path every time the one that's a real pain in the butt

uh on this particular thing is adobe flash because each version of flash goes into a new directory structure and uh it just makes setting this up a little a little difficult the good thing is once you have it set up you can just export right here and it'll export the xml file and then that's the xml config file that you put up on the file share that you have all your clients go grab um and then anytime you make a change to your protections you export the xml and put it back out on that file share cool any any other questions okay well let's go back through our same attack scenarios uh we'll do the same three two browsers

and uh then our wonderful uh completely not evil pdf

okay evil has been launched

okay i'm gonna do this guy and let's see what happens now metasploit is seeing the request but nothing's happening here so just make sure hello hello now metasploit's seen the actual request coming in but it's it can't do anything there so okay that's a win for that one i i didn't turn on uh you actually have to turn logging on right after install and i didn't do that i apologize um i i didn't i didn't have it but you actually have to turn on the the warning and i i didn't do that i'm sorry i should have done that it ends up uh just so everybody knows so it ends up in the application log

um when you do turn the logging on uh let's see ten okay let's go to our our java url okay oh i should probably actually have metasploit setup to launch the java exploit apologies folks

okay we're running 80 80. here we go he sees it sees the request but nothing happens it actually generates the jar file uh that would be evil and that's it medically can't take it any further so there we go uh two of three attack vectors have been protected and again we're not running antivirus or anything else the only thing protecting our butts right now is uh emmett all right last one

so this is our completely not evil pdf we have a listener and let's run the completely not evil pdf no java i don't want the ask toolbar today okay so um something's happening okay all right fine save yes i just wanna i just want free wi-fi just let me click everything yes open oh no oh so we got a shell on the box even though we're running emmett it is unfortunate but again not a panacea so let's go through the effectiveness summary uh with java fully effective across all versions uh i tested this on java 1.5 1.6 1.7 obviously we just did works like a champ none of the applications broke because again you can white list applications no

problem you're allowed to use java and just block everything else super effective against java now for cv uh 2014 6332 that's the uh fully effective against this uh it was the exploit was blocked against both internet explorer and powerpoint in my testing and this is actually an improvement uh when uh i tested this against emit 5.1 i was able to get the ie exploit to work um while powerpoint was being blocked so now in 5.2 they've made a change i'm not sure what it is but it's it's fully protecting against that type of attack right now so that's good stuff for adobe reader partially effective um versions 10.x were actually uh protected by uh emmett but the older

versions this 8.x and 9.x i guess it's just too old um there was there was nothing to be done so if you're 10.x and that's i think 2012 2011 something like that then you can apply emit protections and have them work uh for adobe flash my testing was inconclusive uh i wasn't able to get a reliable uh metasploit exploit to actually work against the ibub it's because i'm too stupid i'm sure there's a way to make that work um but i wasn't able to get it to go um it has been tested by fireeye to be effective against adobe flash and again requires heavy customization due to that directory structure i was talking about new directory structure for every

version so kind of makes the initial config a bit of a pain so in the end not bad okay so the the overall summary uh emmett is a great way to limit exposure it's a huge win for the java problem and the java problem everybody knows about it everybody hates it um this is a great way to to fix that issue um it's not a replacement for application whitelisting uh you should definitely look at things like app locker which is also free as in beer freeze and b-sides and uh you know worth worth taking a look and uh excellent excellent deployment guide from the guys at uh trusted sex this is for emit 5.1 but it applies to 5.2

um just go out to their website or google trusted sec uh emmet and you'll get this document step by step here's here's what you got to do

yeah yeah you have to push out the new msis it's easy to do with group policy um to just update it that way but there yeah there's no auto update kind of feature built into it back there

so the question was uh you know basically people are bypassing this thing and uh you know the attacks are people are constantly figuring out ways around emmett um you know what does the future hold and i think microsoft has shown that they're committed to this prod this product uh you know 2009 they've been running this thing and uh they're coming out with new versions it seems at least every six months so my you know i don't work for microsoft i can't i can't you know uh you know vouch for them too much but it does seem like they're making an actual concerted effort to to continually improve emmet and they're taking feedback i mean when it gets

bypassed it tends to happen in places like black hat and then the guys from microsoft go scurrying over and say how did you do that you know what can we do to prevent that um so i i think uh i think this would be a continued you know evolving product and uh hopefully they'll just keep making it better um it's pretty good right now and again you know the bad guys are you know they're they're gonna get whoever they can get you know um if they're super motivated to get you they're gonna get you some one way or another um but this this definitely helps against like these these sort of wide mass uh male fishing campaigns you know

the dire campaigns of the world uh where they're just spamming everybody and seeing how many clicks they can get you know this will definitely protect against that kind of stuff

sir

awesome no that's that's that's good uh and for those of you who didn't hear that the idea is that you know mitigations are tested and emmet and then eventually rolled into the windows core um so it's kind of their test platform to improve the overall uh windows kernel security it's good stuff yes working on it

oh sure citrix yeah your workstations oh there it is um point of sale atms if you got to deal with that kind of stuff uh internet of things type devices things running embedded windows um

alpha group yeah we're starting off with uh we actually have a different uh deployment software i guess like a patch packaging software and the idea would be to push it out that way but you push it with group policy just as you however you push software in your environment

it puts that xml file in the same location every time um so you can push your initial package out with the xml file that you that you have at that time but then set a scheduled task or a login script or something like that to go grab the latest xml file whenever the machine boots up anybody else all right