Defeating Device Guard with Microsoft's Implant Since Windows 2000

Author(s): Christopher Truncer
Category: Penetration Testing
Duration: 45
Summary: Windows 10 and Server 2016 immediately provide defensive technologies that can be used to secure endpoints within your domain. Both operating systems allow administrators granular control over how to best administer and defend their network, and in the opinion of this speaker, one of the best new defensive technologies provided by these operating systems is Device Guard.

Device Guard is Microsoft’s latest defensive addition that allows administrators to defend their domain against malware. Device Guard enables administrators to customize how and if applications are allowed to run on systems within their domain. This can be based on File Name, Hash, PCACertificate, or more. I will talk about Device Guard, how it is used, and show how administrators deploy it.

This talk also wouldn’t be complete without looking at these same technologies from an attacker’s perspective! I’ve been analyzing Device Guard configurations based on how we can expect them to be deployed in the field, and have developed a tool that can not only help attackers in today’s Windows 7 environment, but in the future’s Server 2016 and Windows 10 domains. Developing a multifaceted tool in PowerShell was critical because I wanted maximum functionality, flexibility, and impact. This talk will showcase how an attacker can use this tool to live off the land and attack Device Guard protected systems using built operating system “features”.

Likes: 1

Comments

yee_know_me

yeeeeeeeeee :-)


chango77747

Can't wait for this!


chango77747

Can't wait for this!


BabySealTeam6

My understanding is that Device Guard places PowerShell into constrained language mode. Is your PowerShell tool affected by it? Will you be discussing public bypasses or have you developed your own? It's not clear in the synopsis.


SonofFlynn

Device Guard does place PowerShell into constrained language mode. I'll discuss how I built the capabilities of a RAT leveraging built in Windows "functionality" in a manner that completely works in constrained language mode. I'll talk data storage, the C2 channel, and mechanism for triggering actions on remote hosts.