Skip to content

Latest commit

 

History

History
13 lines (13 loc) · 1014 Bytes

Device Guard.md

File metadata and controls

13 lines (13 loc) · 1014 Bytes
tags cssclasses
detection-and-defense
  • Windows Defender Application Control (WDAC) is a group of features designed to harden a system against malware attacks. Its focus is preventing malicious code from running by ensuring only known good code can run.
  • Primary components -
    • Configurable Code Integrity (CCI) - Configure only trusted code to run.
    • Virtual Secure Mode Protected Code Integrity - Enforces CCI with Kernel mode (KMCI) and User mode (UMCI)
    • Platform and UEFI Secure Boot - Ensures boot binaries and firmware integrity.
  • UMCI is something which interferes with most of the lateral movement attacks we have seen.
  • While it depends on the deployment (discussing which will be too lengthy), many well known application whitelisting bypasses - signed binaries like csc.exe, MSBuild.exe etc. - are useful for bypassing UMCI as well.
  • See LOLBAS project