So I frequently get customers that ask how do I know what EMET is actually doing out there. Unfortunately like a number of our products EMET is basically the client. We do have GPO’s to manage it but there is no included System Center reporting console or the like.
If your organization is fortunate enough to have some type of SIEM / SCOM etc that has agents on all clients then you can use that to gather the appropriate source EMET Event ID 1,2 (Maybe 42 for SSL Pinning) events from the Application Event Log to determine when mitigations are being triggered in your environment. More commonly I see customers that either don’t have a SIEM or if they do have one they rarely put the agent across all of their desktops.
In the scenario with no agents on the clients then typically what we see and recommend is the use of Windows Event Forwarding to centralize the events of interest. In some cases forwarding is used to drop them all in a centralized location then you utilize the SIEM agent on that central location and just consume the specific events from that central location and this tends to work out well in many environments.
For the customers that don’t have a SIEM or would just like to have some tools to help with piloting/deployment etc I present the following set of scripts/solution:
The basic premise of the solution looks like this (sorry my visio skills= bad )
- GPO tells client to talk to WEF Subscription Server WEFSERVER1
- Client contacts WEFSERVER1 for subscription which says to send EMET 1,2
- Client subsequently forwards EMET Event ID 1,2 any time they occur
- Script EMETReporting.ps1 on the WEF server triggers anytime new event comes in and parses out interesting data fields to a c:\emet\emet.csv file
- PowerBI Desktop dashboard file consumes emet.csv and shows visualizations of the data
- Optional you put that PowerBI file up in the PowerBI service and use the PowerBI Personal Data Gateway client to sync it to the cloud and get a web based dashboard that also has IOS/Android/Windows apps available to it.
I’ve placed all the files at https://github.com/kurtfalde/EMET-Reporting except for an event log watcher module from http://pseventlogwatcher.codeplex.com/ which you will also need. Start off by downloading the entire contents of both locations and place them in a c:\EMET folder on the server which you are planning to utilize for a WEF (Windows Event Forwarding) Subscription Server.
Once copied there you should have a folder that pretty much has the following content
The first thing to run is the EMETWEFServerSetup.ps1 script as this will configure the following:
- Set WinRM service to start automatically
- Run WinRM quickconfig to ensure that WinRM is listening and the correct firewall inbound rules are enabled
- Increases the size of the Forwarded Events log to 500Mb
- Runs wecutl qc –quiet to configure the Windows Event Collection service to be able to create/manage WEF Subscriptions
- Imports a preconfigured EMETSubscription.xml that collects EMET Event ID 1,2 for “Domain Computers”
- Imports and creates a Task Scheduler item that runs the EMETReporting.ps1 script in the background anytime the computer restarts
(FYI you may need to right click and “unblock” the .ps1 and .psm1 files as PS execution policies don’t like running things from the Internet)
Once you run the EMETWEFServerSetup.ps1 script spot check and verify that the task scheduler item is in place and that the Event Subscription is in place.
EMET Parsing Task (In Task Scheduler)
EMET Audit Events (In Event Viewer)
Go ahead and start the task scheduler item so the script registers that it’s watching for events incoming and parsing them. It should restart automatically if you reboot the system at any point.
At this point we need to ensure clients are talking to this server which we will do via a GPO. Create or modify an existing GPO that is assigned to your EMET clients and configure the Policy>Computer Configuration>Administrative Templates>Windows Components>Event Forwarding>Target Subscription Manager setting to point to the WEF server you just configured.
Once this has been completed test some clients to ensure they picked up the setting and are talking to the WEF server and pulling the subscription properly. After running a GPupdate on the clients the best place to look is in Event Viewer>Applications and Services Logs>Microsoft>Windows>Eventlog-ForwardingPlugin>Operational Event log. A good event is 100 which says that the Subscription EMET Audit Events was created successfully (if you have others you are probably going to have to do some troubleshooting if you have nothing make sure you have the WinRM service set to automatic on your clients). Event should look like this.
You can also check the subscription on the WEF server and look at how many clients it has in the Event Viewer as well.
At this point if everything is working properly you should hopefully see that the script begins parsing events as they come in. The subscription is set to gather an existing EMET Event ID 1,2 on the clients event logs so if you have had any triggering that hasn’t rolled off your application event logs you may well start getting data immediately. If not you could always test by loading Java in IE and testing the ASR mitigation by browsing to a site that attempts to load Java.
Provided all of the other items worked properly and a EMET.csv is now being created in the c:\emet\emet.csv you can now open that with the included PowerBI Desktop Dashboard file. You will need to download and install the PowerBI Desktop Client from https://powerbi.microsoft.com/en-us/desktop (it’s free), once installed open the “EMET Dashboard.pbix” file in the c:\emet folder. It will initially have junk test lab data in it and not your environment yet, you wan to click the ‘Refresh’ button at the top which will cause it to import the c:\emet\emet.csv file and display actual data from your environment.
You can either just use this as a local dashboard or if you want to put it in the cloud/sync it then consider using the PowerBI service (can either be purchased individually or part of o365 subscriptions) to host this. I’m not going to go through the steps for this here but you can basically import the .pbix file to PowerBI, download the PowerBI Personal Gateway Client and configure it on the server and then set your data model that you uploaded to sync automatically through the client. This in turn will give you a web based dashboard which also has IOS/Android/Windows apps available to it.
Hopefully some of you take the time and try this out I would really appreciate feedback. Thanks