09/07/15. Version 0.1
In the context of the Microsoft Windows family of operating systems, Mandatory Integrity Control (MIC) is a core security feature introduced in Windows Vista and implemented in subsequent lines of Windows operating systems. It adds Integrity Levels(IL)-based isolation to running processes and objects. The IL represents the level of trustworthiness of an object, and it may be set to files, folders, etc. Believe it or not, there is no graphical interface for dealing with MIC in Windows. MicEnum has been created to solve this, and as a tool for forensics.
MicEnum is a simple graphical tool that:
- Enumerates the Integrity Levels of the objects (files and folders) in the hard disks.
- Enumerates the Integrity Levels in the registry.
- Helps to detect anomalies in them by spotting different integrity levels.
- Allows to store and restore this information in an XML file so it may be used for forensic purposes.
How does the tool work?
The only way by now, to show or set Integrity Levels in Windows is by using icacls.exe, a command line tool. There is no easy or standard way to detect changes or anomalies. As in NTFS, an attacker may have changed Integrity Levels of a file in a system to elevate privileges or leverage another attack, so, watching this kind of movements and anomalies is important for forensics or preventive actions.
The tool represents files and folders in a tree style. The integrity level of files and folders is shown in a column next to them. By scanning a folder, the tool will check all integrity levels and, if any of them does not match with its parent, it will expand it. If you have expanded some folders and want to group back the ones that are known to be the same, just use the checkbox at the bottom. It will hide the folders that are supposed to share same integrity level.
For setting new integrity levels, just use contextual menu again and set the desired level. Do not change them if you do not know what you are doing. You may need administrator privileges to achieve the change.
For forensics purposes, the whole “session” or information about the integrity levels may be saved as an XML file. Later you may restore it with this same tool. Once restored, icons are missing, and there is no chance to set new values, of course, since you are not using your “live” hard disk.
This all applies to registry branches as well, in its correspondent tab.
MicEnum is inspired in AccessEnum, a classical tool by Sysinternals that enumerates NTFS permissions and helps detecting anomalies.