Skip to Main Content
May 13, 2013

EMET 4.0 - Tutorial and Overview

Written by David Kennedy
Penetration Testing Security Testing & Analysis
Microsoft's free tool in combating zero days and exploits is about to get a major release next week. Currently the Enhanced Mitigation Experience Toolkit (EMET) version 4.0 is in BETA. For those that are using a Microsoft environment and not deploying EMET, you are seriously missing out. EMET is one of those tools that takes a significant jump in the protection of your systems. EMET is a tool designed to prevent known and unknown exploits in a way that prevents traditional exploit methods. EMET has the following protection mechanisms built into it: Data Execution Prevention (DEP) Structured Exception Handler Overwrite Protection (SEHOP) Address Space Layout Randomization (ASLR) Certificate Trust (Pinning) In addition to the features, 4.0 adds new return oriented programming (ROP) block techniques that try to bypass EMET. EMET 3.5 only hooked kernel32!VirtualAlloc with 4.0 the hooks are much lower for example kernelbase!VirtualAlloc and ntdll!NTAllocateVirtualMemory. For ROP mitigations, heres the following methods for protection: Load Library checks - monitors load library and prevents loading libraries from UNC path. Memory protection checks - disallow making the stack area executable. Caller checks - checks to see when a critical function is reached if its reached through a call instruction rather than a RET. When building ROP gadgets, using return oriented programming, you build your ROP gadget through returns until you eventually have a way to circumvent data execution prevention. Simulate execution flow - tries to detect ROP gadgets following a call to a critical function. Stack pivot - checks to see if the stack has been pivoted. Deep hooks - protection of critical APIs and lower level APIs used by top level critical APIs. Anti Detours - Common shellcode techniques for evasion of hooks by executing a copy of the hooked function then jump to the function past the prologue will not work properly. Banned functions - Additional APIs will be detected and blocked. Essentially, most public exploits that are released either patched or zero day would have a tough time with these protection mechanisms. Not saying there aren't ways to bypass this, however, it is extremely difficult if configured properly. Our recommendation is to deploy EMET to at least all of your server population and if you have the ability, to workstations and laptops as well. With EMET 4.0, you now have the ability for group policy management and centralization to be able to make changes to EMET on a wider scale. Now the next time that pesky Java zero day comes out (unless its a sandbox escape versus traditional exploit methods), you have something that can out of the box without any changes. If you want to install this on a machine, download the MSI from here (BETA release, careful): Next, once installed. Go to the start menu and start EMET. You should see something like this (not exact configurations yet):
Next, click on the configure systems button and select the drop down and select Maximum Security Settings (recommended).
This will require you to do a reboot. Don't do this yet. Open up a command prompt window as an administrator, and navigate to C:Program Files(x86)EMET 4.0 (BETA). Next we need to configure protection profiles. They have a few default ones already enabled, we prefer to use the "Recommended Software" which contains common applications such as IE, Office, Adobe, and Java, etc. Note that you will need to configure EMET to include all executables and applications based on your desired configuration. The xml files are easy to configure and to add additional applications. I prefer to use the xml, especially in a standard build to deploy to other machines. Enter the below command to import the configuration profile.
Next restart. There are additional configuration options around reporting, and advanced protection that you can configure. For example below:
These are located under applications, advanced and has advanced mitigation control for stopping the application under certain conditions. Lastly, there are ways to manage EMET through group policy. Under the installation folder under the EMET 4.0 directory (DeploymentGroup Policy Files) are EMET.admx and EMET.adml. You can copy these files to WindowsPolicyDefinitions and WindowsPolicyDefinitionsen-US folders and have the ability to manage EMET through group policy. Overall - this is a MUST have for IT and security minded people alike. Great progress from the Microsoft front, and something we heavily recommend deploying at TrustedSec. Supported Operating Systems: Windows XP Service Pack 3 and above Windows Vista Service Pack 1 and above Windows 7 all Service Packs Windows 8 Windows Server 2003 Service Pack 1 and Above Windows Server 2008 all Service Packs Windows Server 2008 R2 all Service Packs Windows Server 2012