How to easily protect against BYOVD attack scenarios with WDAC policy in Windows - Windows Defender

Описание к видео How to easily protect against BYOVD attack scenarios with WDAC policy in Windows - Windows Defender

This video demonstrates how you can easily protect against BYOVD (Bring Your Own Vulnerable Driver) attack vector and more.

This proactive measure uses whitelisting and Windows Defender Application Control aka WDAC.

Testing on Hyper-V VM because during the demo I had to restart twice and it'd very hard to continue recording non-stop. This way, instead of hardware Kernel-mode drivers, I'm using 3rd party apps that have Kernel-mode drivers, to show how you can allow list your Kernel-mode drivers, either hardware or software, and block any other Kernel-mode driver that is not explicitly allowed.

In the Demo you can see I'm using Tor, Cloudflare WARP and System informer as test apps. The idea is to show you that a User-mode app such as TOR runs perfectly (even though the TOR network is painfully slow).

System Informer uses both User-mode and Kernel-mode drivers. In the video you can see that it installs just fine and you can use its User-mode driver too, but the moment you switch to Kernel-mode driver, it will create an Audit log indicating that it would be blocked if the base policy was deployed in enforced mode.

Finally, we use the Cloudflare WARP after completely deploying our Strict Kernel-mode WDAC policy. The video shows how you can effortlessly allow a 3rd party Kernel-mode driver if you need to, whether it's hardware or software, and create a Supplemental policy for them. With WDACConfig module, you can automatically merge all of your Supplemental policies into 1, without the need for any reboot. WDACConfig module automates a lot of tasks related to Code Integrity in Windows Operation System, allowing non-enterprise users to use WDAC easily.

In the video I'm deploying this policy without cryptographically signing it. Refer to my GitHub for guides about how to automatically and easily sign your WDAC policy to make it tamper-proof.

In this demo I'm using my WDACConfig module, you can find it on my GitHub:
https://github.com/HotCakeX/Harden-Wi...

My Harden Windows Security GitHub repository:
https://github.com/HotCakeX/Harden-Wi...

My Twitter:   / spynetgirl  

If you have any question or need help, feel free to reach out at GitHub or Twitter.

Комментарии

Информация по комментариям в разработке

Похожие видео