Sneaking Past Device Guard - Philip Tsukerman - Hack in Paris - 2019

Explore advanced techniques for bypassing Windows 10's Device Guard security feature in this 43-minute conference talk from Hack in Paris. Dive deep into the internals of Device Guard, also known as Windows Defender Application Control (WDAC), and discover various methods to subvert its protection in different contexts. Learn about new execution techniques, accidental AMSI bypasses, and other intriguing security insights. Examine rarely discussed and novel bypass methods, including those requiring admin access, Microsoft Office (without user interaction), and even low-privilege techniques using only native OS executables. Gain a comprehensive understanding of how Device Guard is implemented across various contexts, and explore the inner workings of Windows scripting engines and their host processes to grasp how certain techniques can circumvent this security measure.

Introduction
What is Device Guard
VBA Bypass
Using Trusted Documents
Excel for Macros
Alternative Shellcode Runner
Active Script
Active Script Consumer
MSXML
Access Transform XML
Create Object Method
Cold Stacks
Scriptlets
Class ID
Register
Patched
Bypass
Alternative execution vectors
Detecting
Outro