Explore the intricacies of bypassing Device Guard in this 45-minute conference talk from WEareTROOPERS. Delve into the concept of Device Guard, its practical applications, and the implications of arbitrary code execution. Examine lateral movement techniques, the role of Office in protected models, and trusted locations. Learn about PowerShell in Constrained Language Mode and its potential for arbitrary code execution. Discover the benefits of Excel macros and ActiveScript bypasses, including common hosts and engines. Investigate Device Guard in ActiveScript, XSLT transforms, and various implementation differences. Analyze patching limitations and combine multiple techniques for effective bypasses. Gain insights into detection tools and potential future developments in Device Guard. Conclude with recommendations for further learning and experts to follow in the field.
Overview
Syllabus
Einleitung
OUTLINE
DEVICE GUARD - WHAT AND WHY?
WHAT DOES ARBITRARY CIDE REALLY MEAN
DEVICE GUARD - IN PRACTICE
THE LATERAL MOVEMENT/BCON APPROACH
WHEN DIES OFFICE FORSAKE PROTECTED MODEL
TRUSTED LOCATIONS
PS IN CLM TO ARBITRART CODE EXAMPLE
BENEFITS OF EXCEL MACROS
ACTIVESCRIPT BYPASSES
THE MAIN COMPONENTS OF ACTIVESCRIPT
COMMON HOSTS AND ENGINES
DEVICE GUARD IN ACTIVESCRIPT
ACTIVESCRIPTCONSUMER
XSLT TRANSFORNS
SACCESS XSLT TRANSFORMS
DIFFERENT IMPLEMENTATIONS IN ACTIVESCRIPT
PATCHING IS PRETTY MEANINGLESS AS OF NIV
ANSI BYPASSES
STICKING TECHNIQUES TOGETHER
YOU ALREADY HAVE THE TOOLS FOR DETECTION
HOW I THINK THE FEATURE SHOULD DEVELOP
PEOPLE TO FOLLOW
Taught by
WEareTROOPERS
