Defeating Device Guard with Microsoft's Implant Since Windows 2000
Category: Penetration Testing
Summary: Windows 10 and Server 2016 immediately provide defensive technologies that can be used to secure endpoints within your domain. Both operating systems allow administrators granular control over how to best administer and defend their network, and in the opinion of this speaker, one of the best new defensive technologies provided by these operating systems is Device Guard.
Device Guard is Microsoft’s latest defensive addition that allows administrators to defend their domain against malware. Device Guard enables administrators to customize how and if applications are allowed to run on systems within their domain. This can be based on File Name, Hash, PCACertificate, or more. I will talk about Device Guard, how it is used, and show how administrators deploy it.
This talk also wouldn’t be complete without looking at these same technologies from an attacker’s perspective! I’ve been analyzing Device Guard configurations based on how we can expect them to be deployed in the field, and have developed a tool that can not only help attackers in today’s Windows 7 environment, but in the future’s Server 2016 and Windows 10 domains. Developing a multifaceted tool in PowerShell was critical because I wanted maximum functionality, flexibility, and impact. This talk will showcase how an attacker can use this tool to live off the land and attack Device Guard protected systems using built operating system “features”.