Windows Defender Application Control (WDAC) Resources

Over the years, I have written and recorded a lot of material related to Windows Defender Application Control (previously, Device Guard). I am extremely heartened to have received a lot of interest in it lately and I’ve been getting a lot of questions asking for help with individual deployments. It means a lot to me for someone to spend their valuable time reaching out to me with questions but considering the nature of the beast that is configuration, baselining, tuning, maintenance, and deployment of application control solutions, there is “no one size fits all” answer which makes addressing individual questions time consuming, time which I simply don’t have based on current personal and professional priorities. Rather than leave anyone hanging though, I wanted to offer a consolidated list of the WDAC resources I’ve authored through the years as a reference should new questions arise. Of course, I will try my best to answer questions as they arise but referring to this reference will be my first ask of you. Thank you for understanding!

Resources are broken down by broad category.

Why Use WDAC?

• Introduction to Windows Device Guard: Introduction and Configuration Strategy
• (Video) TR17 — Architecting a Modern Defense using Device Guard. A joint presentation with Casey Smith.
• (Video) Architecting a Modern Defense using Device Guard and PowerShell
• Device Guard Attack Surface, Bypasses, and Mitigations. A joint BlueHat IL 2017 presentation with Casey Smith
• On the Effectiveness of Device Guard User Mode Code Integrity

Configuration/Baselining/Deployment

• (Video) Building a Windows Defender Application Control policy from scratch: Creating a driver allow list
• (Video) Building a Windows Defender Application Control (WDAC) policy from scratch: User Mode Code Integrity
• Adventures in Extremely Strict Device Guard Policy Configuration Part 1 — Device Drivers. Apologies, there was never a part 2.

Policy Maintenance

• (Video) Integrating WDAC Block Rules and Intro to Multiple Policy Management
• (Video) Building, Deploying, and Managing Multiple WDAC Policies with WDACTools
• Using Device Guard to Mitigate Against Device Guard Bypasses
• Updating Device Guard Code Integrity Policies

Auditing

• (Video) Auditing and Bypassing Windows Defender Application Control
• Device Guard Code Integrity Policy Auditing Methodology
• Threat Detection using Windows Defender Application Control (Device Guard) in Audit Mode
• Assessing the Effectiveness of Hash-based Application Whitelisting Blacklist Rules

Bypasses and Research Methodology

• (Video) PowerShell Constrained Language Mode Enforcement and Bypass Deep Dive
• Arbitrary, Unsigned Code Execution Vector in Microsoft.Workflow.Compiler.exe
• Application Whitelisting Bypass and Arbitrary Unsigned Code Execution Technique in winrm.vbs
• Bypassing Application Whitelisting with runscripthelper.exe
• Documenting and Attacking a Windows Defender Application Control Feature the Hard Way — A Case Study in Security Research Methodology
• Exploiting PowerShell Code Injection Vulnerabilities to Bypass Constrained Language Mode

Code Signing

• Subverting Trust in Windows
• (Video) Hi, My Name is “CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US” (BlueHat IL 2018)
• (Video) Subverting Trust in Windows — A Case Study of the “How” and “Why” of Engaging in Security Research
• Application of Authenticode Signatures to Unsigned Code
• Code Signing Certificate Cloning Attacks and Defenses
• What is it that Makes a Microsoft Executable a Microsoft Executable? An Attacker’s and a Defender’s Perspective

Miscellaneous

• Device Guard and Application Whitelisting on Windows — An Airing of Grievances. Note: in fairness, many of the issues highlighted have since been resolved.
• Windows Device Guard Code Integrity Policy Reference. The policy schema has seen been added to but the reference remains valid.

Conclusion

When working with WDAC, there’s no way around it, it’s going to require a fair amount of legwork. I hope that these resources are sufficient to get you started regardless of your particular area of focus.

To this day, I still believe that strong code integrity enforcement is the only way we can possibly compete against the constant deluge of existing and new attack techniques. WDAC requires a lot of care and feeding, however. Fortunately, if you have money to spare, many application control vendors have made a business out of reducing complexity and management burden.