Windows 10 - Endpoint Security Improvements and the Implant since Windows 2000

Presented at TROOPERS17 (2017), March 23, 2017, 5 p.m. (Unknown duration).

Windows 10 and Server 2016 immediately provide defensive technologies that can be used to secure the endpoints within your domain. Both operating systems allow administrators granular control over how to best administer and defend their network, and in the opinion of the speakers, one of the best new defensive technologies provided by these operating systems is Device Guard.

Device Guard is Microsoft's latest defensive addition that allows administrators to defend their domain against malware. Device Guard is designed to work together with AppLocker and enables administrators to customize how and if applications are allowed to run on endpoints within their domain. This can be based on File Name, Hash, PCACertificate, or more. We will talk about Device Guard, how it is used, demo deploying device guard, and create a couple sample deployment configurations. We want attendees to be able to walk away from this part of our talk and have an idea how they can immediately improve their defenses.

This talk also wouldn't be complete without looking at these same technologies from an attacker's perspective! We've been analyzing Device Guard configurations and how we expect them to be deployed in the field, and have worked to develop a tool that can not only help attackers in today's Windows 7 environment, but in the future's Server 2016 and Windows 10 domains. Developing a multifaceted tool in PowerShell was critical because we wanted maximum functionality, flexibility, and impact. This talk will conclude with the release of our tool.


Presenters:

  • Evan Peña as Evan Pena
    Evan Peña is a Principal Consultant and red team lead for Mandiant's West Region. Evan has years of experience in enterprise information technology administration, leading covert red team operations to evaluate incident response procedures, and assessing enterprise network defense capabilities from the perspective of an attacker. In addition, Evan participates in security diverse assessments of large government agencies and Fortune 500 companies. These networks consist of an online presence of hundreds of thousands of address space around the world.
  • Christopher Truncer
    Christopher Truncer (@ChrisTruncer) is a red teamer with Mandiant. He is a co-founder and current developer of the Veil-Framework, a project aimed to bridge the gap between advanced red team and penetration testing toolsets. Chris began developing toolsets that are not only designed for the offensive community, but can enhance the defensive community's ability to defend their network as well. I've been published in the Russian Magazine Xakep on Antivirus Evasion with the Veil-Framework. Tool and techniques I develop or research are typically released on my personal blog https://www.christophertruncer.com.

Links:

Similar Presentations: