Uncategorized

Threat Detection using Windows Defender Application Control (Device Guard) in Audit Mode

Matt Graeber
Security Researcher, SpecterOps
Jun 26
Note: I originally scrapped this post because I didn’t like that audit events were only logged once per boot due to caching, however, Casey’s tweet reminded me that I shouldn’t let perfect be the enemy of good. This is still one of the best options that I know of (without requiring a commercial solution) to log all driver loads.[…]

https://posts.specterops.io/threat-detection-using-windows-defender-application-control-device-guard-in-audit-mode-602b48cd1c11

 

Standard
Uncategorized

Microsoft Updates OEM Device/Credential Guard requirements

Microsoft just updated this page:

https://msdn.microsoft.com/en-us/windows/hardware/commercialize/design/minimum/device-guard-and-credential-guard

No list of what’s changed, it seems that would be a reasonable thing for a large list of requirements…  I’ll leave you to figure out what changed. 🙂

(If someone knows of a good way to diff this page against the same page a few weeks ago (without archive.org), please leave a Comment on this blog post. Thanks.)

 

Standard
Uncategorized

Device Guard: undocumented policies

“Interesting undocumented Device Guard code integrity policy rules. Obtained via the SIPolicy XML schema.”

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules

WordPress mangles Github Gist urls, click on the above Twitter URLs to get the Gist URL.

Standard
Uncategorized

Troy Martin’s Windows Device Guard trilogy

Troy Martin of 1E has written the final of this 3-part blog posts on Device Guard, a new feature of Windows 10, targetting enterprise sysadmins.

[…]
Welcome to the third and final blog in the series on Device Guard!!
Device Guard hardens various attack surfaces on an endpoint creating a “chain of trust” from the hardware through to the Windows OS kernel and to software running in Windows.
Device Guard components run in isolation from the Windows kernel and is secured by a Windows Hyper-V container called Virtual Secure Mode (VSM).
It is evident that Device Guard provides revolutionary endpoint security in Windows 10; a formidable opponent and offense against viruses, malware, bad actors and other modern day threats. Time to start taking advantage of it and securing the enterprise!!
[…]

Standard
Uncategorized

Windows Device Guard information

Ash de Zylva of Microsoft has a blog post on Windows 10’s Device Guard and Credential Guard:
Windows 10 Device Guard and Credential Guard Demystified
While helping Windows Enterprise customers deploy and realize the benefits of Windows 10, I’ve observed there’s still a lot of confusion regarding the security features of the operating system. This is a shame since some of the key benefits of Windows 10 involve these deep security features. This post serves to detail the Device Guard and Credential Guard feature sets, and their relationship to each other. […]
http://blogs.technet.com/b/ash/archive/2016/03/02/windows-10-device-guard-and-credential-guard-demystified.aspx

 

Standard