Infiltrate Security Conference OPEN CFP

This CFP is not yet open - Check back soon!

Defeating Device Guard with Microsoft's Implant Since Windows 2000

Penetration Testing

Windows 10 and Server 2016 immediately provide defensive technologies that can be used to secure endpoints within your domain. Both operating systems allow administrators granular control over how to best administer and defend their network, and in the opinion of this speaker, one of the best new defensive technologies provided by these operating systems is Device Guard. Device Guard is Microsoft’s latest defensive addition that allows administrators to defend their domain against malware. Device Guard enables administrators to customize how and if applications are allowed to run on systems within their domain. This can be based on File Name, Hash, PCACertificate, or more. I will talk about Device Guard, how it is used, and show how administrators deploy it. This talk also wouldn’t be complete without looking at these same technologies from an attacker’s perspective! I’ve been analyzing Device Guard configurations based on how we can expect them to be deployed in the field, and have developed a tool that can not only help attackers in today’s Windows 7 environment, but in the future’s Server 2016 and Windows 10 domains. Developing a multifaceted tool in PowerShell was critical because I wanted maximum functionality, flexibility, and impact. This talk will showcase how an attacker can use this tool to live off the land and attack Device Guard protected systems using built operating system “features”.

Back to Open CFP
Rated 6 - 25 reviewers



yeeeeeeeeee :-)


Can't wait for this!


Can't wait for this!


My understanding is that Device Guard places PowerShell into constrained language mode. Is your PowerShell tool affected by it? Will you be discussing public bypasses or have you developed your own? It's not clear in the synopsis.


Device Guard does place PowerShell into constrained language mode. I'll discuss how I built the capabilities of a RAT leveraging built in Windows "functionality" in a manner that completely works in constrained language mode. I'll talk data storage, the C2 channel, and mechanism for triggering actions on remote hosts.

Interested in Speaking?

We are pleased to announce the Call For Papers for INFILTRATE 2018 is now open. If you would like to present and have an offense-focused-fresh-content presentation, please submit an abstract, Bio and headshot to This information will be included on our Open CFP site, here, where the public can vote on which presentations they are most interested in seeing at INFILTRATE. Call for papers will close on December 14th, 2017. Shortly after this date, the winning speakers will be notified.

Some of the benefits of speaking at INFILTRATE are: