Windows Defender Application Control (WDAC) Resources

Over the years, I have written and recorded a lot of material related to Windows Defender Application Control (previously, Device Guard). I am extremely heartened to have received a lot of interest in it lately and I’ve been getting a lot of questions asking for help with individual deployments. It means a lot to me for someone to spend their valuable time reaching out to me with questions but considering the nature of the beast that is configuration, baselining, tuning, maintenance, and deployment of application control solutions, there is “no one size fits all” answer which makes addressing individual questions time consuming, time which I simply don’t have based on current personal and professional priorities. Rather than leave anyone hanging though, I wanted to offer a consolidated list of the WDAC resources I’ve authored through the years as a reference should new questions arise. Of course, I will try my best to answer questions as they arise but referring to this reference will be my first ask of you. Thank you for understanding!

Resources are broken down by broad category.

Why Use WDAC?

Configuration/Baselining/Deployment

Policy Maintenance

Auditing

Bypasses and Research Methodology

Code Signing

Miscellaneous

Conclusion

When working with WDAC, there’s no way around it, it’s going to require a fair amount of legwork. I hope that these resources are sufficient to get you started regardless of your particular area of focus.

To this day, I still believe that strong code integrity enforcement is the only way we can possibly compete against the constant deluge of existing and new attack techniques. WDAC requires a lot of care and feeding, however. Fortunately, if you have money to spare, many application control vendors have made a business out of reducing complexity and management burden.

Security Researcher, SpecterOps