Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Sneaking Past Device Guard - Philip Tsukerman - Hack in Paris - 2019

Hack in Paris via YouTube

Overview

Explore advanced techniques for bypassing Windows 10's Device Guard security feature in this 43-minute conference talk from Hack in Paris. Dive deep into the internals of Device Guard, also known as Windows Defender Application Control (WDAC), and discover various methods to subvert its protection in different contexts. Learn about new execution techniques, accidental AMSI bypasses, and other intriguing security insights. Examine rarely discussed and novel bypass methods, including those requiring admin access, Microsoft Office (without user interaction), and even low-privilege techniques using only native OS executables. Gain a comprehensive understanding of how Device Guard is implemented across various contexts, and explore the inner workings of Windows scripting engines and their host processes to grasp how certain techniques can circumvent this security measure.

Syllabus

Introduction
What is Device Guard
VBA Bypass
Using Trusted Documents
Excel for Macros
Alternative Shellcode Runner
Active Script
Active Script Consumer
MSXML
Access Transform XML
Create Object Method
Cold Stacks
Scriptlets
Class ID
Register
Patched
Bypass
Alternative execution vectors
Detecting
Outro

Taught by

Hack in Paris

Reviews

Start your review of Sneaking Past Device Guard - Philip Tsukerman - Hack in Paris - 2019

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.