Has anyone created retrieved properties/relevance for EMET they wouldn’t mind sharing, specifically client configuration and event log scrapes ?
1 Like
I’d love to see tasks / properties / reporting / etc… for EMET, AppLocker, and similar technologies.
I haven’t gone down this path yet, but it is on my list of things to look into.
@nickberger I hope that you can share what you come up with here or on http://bigfix.me/
BUMP … Anyone …?
‘We’ @ Stanford have built content to deploy, configure EMET and are actively rolling this out to departments at the University. It was actually a topic presentation we gave at the our Bay Area User meetup here is the link to that post and presentation:
I have reached out to the 2 presenters and made them aware of this post and hope they can respond to questions.
thanks
Stacy Lee
Security Operations
Stanford University
1 Like
Hello,
This is Adam From Stanford University. Our log scrapping technique is still in its infancy but we can do it. For client configuration we are using BigFix(BF) to write a xml to the system and then import it with EMET. We have been considering scraping the registry to do a check of how EMET is configured. An easier approach is to write to the registry which version of the configuration was last used on the system and then reference the config locally. Though if you wanted to know what it was actually doing and not what you last configured it to do I would still scrap the registry.
Feel free to ask more questions and I think my colleague who should be posting on this topic soon is more informed on the code part of this topic.
Very Respectfully,
Adam Todd
Stanford - Information Security Office
1 Like
We (Stanford) have used BigFix to deploy and report on EMET on many hundreds of nodes so far, with good results. I’d be happy to share relevance and actionscript with people if needed.
Some things to consider during BigFix deployment of EMET:
- EMET requires .NET Framework (and in fact we’ve recently discovered that, though it claims to work with 4.0, it actually doesn’t detect it properly in all cases), so you’ll want to deploy a recent .NET Framework 4.5.x along with EMET. We combined this functionality in our main deployment task.
- On BitLocker-encrypted machines you MUST suspend BitLocker before you do your EMET install and change any system-wide DEP settings. If you don’t, you’ll find that Bitlocker requires a recovery key on reboot. Don’t forget to un-suspend it after the reboot (on pre-Win8 systems that don’t do it automatically).
- A huge part of a successful EMET deployment is the tuning of the configuration XML file used to control what mitigations apply to applications. Don’t just accept Microsoft’s template XMLs - do your testing in your own environment, with your own unique set of plug-ins and support software, on every OS platform and bit depth that you have.
- BigFix makes it easy to deploy updated XML configurations. In highly heterogeneous environments like ours, it can be helpful to design in a protocol for deploying and applying per-department configuration customizations.
When time permits in the near future, I’ll post some code to http://bigfix.me/ for our deployment and our reporting.
1 Like
Stacy / Jeremy / Adam, very informative, thanks !
What I would love to see if possible are the reporting elements, specifically DEP/Pinning and/or the custom security settings visible through the UI.
Most events are written to event log, so scraping key events to assist local IT troubleshooting is my main focus.
I have created some basic relevance -
//Processes Running EMET
q: concatenation “||” of names of keys whose (name of it does not start with “_settings”)of key “HKLM\Software\Microsoft\EMET” of native registry
//Version of EMET
if exists running application “EMET_Agent.exe” then version of running application “EMET_Agent.exe” as string else “N/A”
Anything you would care to share would be appreciated.
1 Like
Please do share any relevance, actionscript, analyses you can through here or through http://bigfix.me/
It would be greatly appreciated.
I’ve posted a couple bits of relevance to bigfix.me, and I spent a bit of time looking at ways to report on the individual settings via a single relevance phrase usable in an analysis. Unfortunately, due to the way EMET stores settings, it doesn’t appear to be possible to use a single relevance expression to report both the NAME of the process and the SETTINGS applied to it. Instead, I suspect we’ll end up making a simple script to run periodically on managed systems to pull the settings and reconcile them, then output a simple text file that can be pulled by an analysis.
1 Like