Kieran Jacobsen

Kieran Jacobsen

He/Him. Microsoft MVP and GitKraken Ambassador. 🌏 Poshsecurity.com. 🏳‍🌈 Gay. 🐱 Cat owner.

Enhanced Mitigation Experience Toolkit (EMET) V2 Config script

Kieran Jacobsen
PowerShell

I was asked how I managed my Microsoft Enhanced Mitigation Experience Toolkit (EMET) V2.1 deployment, its not very important now as V3 is so much easier to manage.

Code contained in this post isn't pretty, there is a long story behind why this script is so bad, and why it is no where near the quality of my code that I write these days. Whilst I am embarrassed by this codes quality, people need ideas for managing EMET v2, whilst 3 is now out, I still wanted this code to be out there for people to use.

There are two things you need to realise when configuring EMET, is that applications are stored in different spot depending on if they are on a 32bit or 64bit machine.

In the script  there is a function which has two parameters, it will then try and configure a small list of apps. For a 32bit workstation, send that function c:\windows\system32 and c:\Program Files, but for a 64bit machine, send it those 32bit locations and c:\windows\syswow64 and c:\program files (x86). In that function you place lines calling emet_conf.exe sending it a parameter to the path of the executable you want to protect.

The main core code of the script is pretty simple. First we determine where EMET is installed to, we CD to its directory, we then delete any current configuration that might exist within EMET.

Next we will configure the system protection levels to be:

 

  • DEP = ApplicationOptOut
  • SEHOP = ApplicationOptOut
  • ASLR = ApplicationOptIN

These were the settings we found worked best in our environment, but there is documentation from Microsoft on what you can set these to.

Continuing on with the script, Media Centre gains some protection, its always installed to the same place.

We then configure EMET for known apps in c:\windows\system32 and c:\program files

If the system is 64bit, we will then configure EMET for known apps in c:\windows\syswow64 and c:\program files (x86).

The function configure-apps simply contains lines calling emet_conf.exe, here are some examples:

Services and Microsoft Apps:

3rd Party apps

Office

As you can see, its all rather simple.

So there you have it, one of my quick and dirty scripts to configure EMET V2 (and it will work on 3 but you should switch to group policy or the profile xml files).

Accessing the Internet from PowerShell: Getting Page Content

PowerShell PowerTools

Related Posts