SNEAKING
PAST
DEVICE GUARD
WHOAMI
» Philip Tsukerman – Security Researcher @ Cybereason
» @PhilipTsukerman
» No idea to whom the legs in the background belong
OUTLINE
» Intro to Device Guard
» VBA based techniques
» Non-VBA based techniques
» Other benefits of techniques
» Conclusion
INTRO TO DEVICE GUARD
DEVICE GUARD – WHAT AND WHY?
» Application whitelisting feature in Win10
» Only code defined in a policy (by cert/hash/etc.) should be able to run
» Inhibits an attacker’s ability to run code on a compromised machine
» Very interesting and permissive threat model:
» Attacker can already execute commands on a machine