Sneaking Past Device Guard

Device Guard (or WDAC) Is an application whitelisting feature on Windows 10 systems that allows only approved executables, libraries, and scripts to run, even under administrator users. Seemingly, the only way to run unsigned code without specific RCE vulnerabilities would require an administrator to turn the feature off and restart the machine.

This talk will exhibit rarely discussed and novel techniques to bypass Device Guard, some requiring admin access, some requiring Microsoft Office (but no user interaction), and one available under low privileges and using nothing but native OS executables. All techniques presented will eventually allow an attacker to run arbitrary code without disabling Device Guard. As of now, Microsoft decided not to service these techniques with an update.

During the the talk, we’ll dive in to the various ways the feature is implemented under different contexts, and explore the internals of Windows scripting engines and their host processes to understand how some popular techniques (and some of the ones shown in the talk) are able to bypass Device Guard.

About the Speaker