Sneaking Past Device Guard

Device Guard (or WDAC) Is an application whitelisting feature on Windows 10 systems that allows only approved executables, libraries, and scripts to run, even under administrator users. Seemingly, the only way to run unsigned code without specific RCE vulnerabilities would require an administrator to turn the feature off and restart the machine.

This talk will exhibit rarely discussed and novel techniques to bypass Device Guard, some requiring admin access, some requiring Microsoft Office (but no user interaction), and one available under low privileges and using nothing but native OS executables. All techniques presented will eventually allow an attacker to run arbitrary code without disabling Device Guard. As of now, Microsoft decided not to service these techniques with an update.

During the the talk, we’ll dive in to the various ways the feature is implemented under different contexts, and explore the internals of Windows scripting engines and their host processes to understand how some popular techniques (and some of the ones shown in the talk) are able to bypass Device Guard.

Here’s a rough skeleton of what I’m planning to show:

INTRODUCTION * Talk introduction and Bio * Device Guard and its goals * What Device Guard Protects Against in practice * Examples of known bypasses * Why I think techniques requiring admin credentials are still dangerous

OFFICE VBA BASED TECHNIQUES * Why VBA bypasses Device Guard * Naive bypass by just RDPing to a machine and clicking away at “Enable Content” * Lateral movement based bypasses - running VBA without files or user interaction via DCOM (usually requires admin. these techniques have been published, but not their ability to bypass whitelisting) * Getting Office to run macros without user interaction (still requires something like a constrained language mode Powershell instance, but can be done from an unprivileged context)

ACTIVESCRIPT BASED TECHNIQUES * ActiveScript, Device Guard, and Enlightened Hosts (a small touch on the internals of script whitelisting in Device Guard) * How ActiveScript bypasses mostly work * ActiveScriptConsumer as a bypass requiring admin * Lateral movement bypass using Microsoft Access and XSLT (usually requires admin) * Lateral movement bypass using Outlook and XSLT (usually requires admin, a modification of a technique by Matt Nelson, not yet discussed in a whitelisting context) * Lateral movement bypass using Excel 4 Macros * Bypassing Device Guard with ActiveScriptEventConsumer * Getting Wscript/Cscript to run unsigned Jscript by abusing conflicting implementations of script whitelisting (Will be fixed this November as CVE-2018-8417)

CONCLUSION * Benefits of the techniques described above in an environment without whitelisting (combining an idea from CVE-2018-8417 and Excel 4 macros for a fileless, injectionless shellcode runner. * Detection of new techniques should not be hard * How I think Device Guard should improve * Questions