- Jan 30, 2023
- 113
This method involves removing the trust to any Kernel mode driver, whether they are vulnerable or not. It does not affect User-mode binaries or drivers.
Any 3rd party software or hardware Kernel mode driver needs to be explicitly allowed. This scenario protects against all BYOVD scenarios and much more.
Drivers can access the Kernel which is the core of the operating system. Microsoft requires all drivers to be digitally signed. BYOVD (Bring Your Own Vulnerable Driver) scenario involves using one of the digitally signed drivers that has a security hole to gain direct access to the core of the OS. This attack vector applies to all OSes, not just Windows.
Continue Reading in the wiki:
WDAC policy for BYOVD Kernel mode only protection
Here is my YouTube video that shows the policy in action:
Explained everything that's happening in the video in the description of it.
My WDACConfig PowerShell module that helps you automate a LOT of operations.
WDACConfig
The cmdlet of the WDACConfig module responsible for Kernel-level BYOVD protection is this:
New‐KernelModeWDACConfig
More BYOVD protections, specially for enterprises and businesses, in this Rationale post:
Harden-Windows-Security/Rationale.md at main · HotCakeX/Harden-Windows-Security
If you have any questions, please feel free to comment down below or reach out at GitHub for code related stuff. Thanks
P.S this is all free, you don't have to buy anything extra nor pay for any subscription etc.
Any 3rd party software or hardware Kernel mode driver needs to be explicitly allowed. This scenario protects against all BYOVD scenarios and much more.
Drivers can access the Kernel which is the core of the operating system. Microsoft requires all drivers to be digitally signed. BYOVD (Bring Your Own Vulnerable Driver) scenario involves using one of the digitally signed drivers that has a security hole to gain direct access to the core of the OS. This attack vector applies to all OSes, not just Windows.
Continue Reading in the wiki:
WDAC policy for BYOVD Kernel mode only protection
Here is my YouTube video that shows the policy in action:
Explained everything that's happening in the video in the description of it.
My WDACConfig PowerShell module that helps you automate a LOT of operations.
WDACConfig
The cmdlet of the WDACConfig module responsible for Kernel-level BYOVD protection is this:
New‐KernelModeWDACConfig
More BYOVD protections, specially for enterprises and businesses, in this Rationale post:
Harden-Windows-Security/Rationale.md at main · HotCakeX/Harden-Windows-Security
If you have any questions, please feel free to comment down below or reach out at GitHub for code related stuff. Thanks
P.S this is all free, you don't have to buy anything extra nor pay for any subscription etc.