MicEnum is a graphical tool that enumerates the Integrity Levels of the objects in the hard disks, helps to detect anomalies and allows to store and restore this information in an XML file

Tool description

In the context of the Microsoft Windows family of operating systems, Mandatory Integrity Control (MIC) is a core security feature introduced in Windows Vista and implemented in subsequent lines of Windows operating systems. It adds Integrity Levels(IL)-based isolation to running processes and objects. The IL represents the level of trustworthiness of an object, and it may be set to files, folders, etc. Believe it or not, there is no graphical interface for dealing with MIC in Windows. MicEnum has been created to solve this, and as a tool for forensics.

MicEnum is a simple graphical tool that:

- Enumerates the Integrity Levels of the objects (files and folders) in the hard disks.
- Enumerates the Integrity Levels in the registry.
- to detect anomalies in them by spotting different integrity levels.
- Allows to store and restore this information in an XML file so it may be used for forensic purposes.

Functionalities

The only way by now, to show or set Integrity Levels in Windows is by using icacls.exe, a command line tool. There is no easy or standard way to detect changes or anomalies. As in NTFS, an attacker may have changed Integrity Levels of a file in a system to elevate privileges or leverage another attack, so, watching this kind of movements and anomalies is important for forensics or preventive actions.

The tool represents files and folders in a tree style. The integrity level of files and folders is shown in a column next to them. By scanning a folder, the tool will check all integrity levels and, if any of them does not match with its parent, it will expand it. If you have expanded some folders and want to group back the ones that are known to be the same, just use the checkbox at the bottom. It will hide the folders that are supposed to share same integrity level.

For setting new integrity levels, just use contextual menu again and set the desired level. Do not change them if you do not know what you are doing. You may need administrator privileges to achieve the change.

For forensics purposes, the whole “session” or information about the integrity levels may be saved as an XML file. Later you may restore it with this same tool. Once restored, icons are missing, and there is no chance to set new values, of course, since you are not using your “live” hard disk.

This all applies to registry branches as well, in its correspondent tab.

MicEnum is inspired in AccessEnum, a classical tool by Sysinternals that enumerates NTFS permissions and helps detecting anomalies.
MicEnum
OUR TOOLS

EmetRules

CONFIDENCE ON THE INTERNET

A simple command line tool that creates a configuration for importing into EMET, so that the user does not need to take any action.

DirtyTooth for Raspberry Pi

THREATS AND VULNERABILITIES

This tool represents a software implementation of the DirtyTooth Speaker in the form of a .deb package for Raspberry Pi.

Certificate Transparency

CONFIDENCE ON THE INTERNET

Certificate Transparency is a new layer of security on top of TLS ecosystem.