New Update BYOVD Kernel-level protection for Windows using Windows Defender Application Control

[SpyNetGirl]

This method involves removing the trust to any Kernel mode driver, whether they are vulnerable or not. It does not affect User-mode binaries or drivers.

Any 3rd party software or hardware Kernel mode driver needs to be explicitly allowed. This scenario protects against all BYOVD scenarios and much more.

Drivers can access the Kernel which is the core of the operating system. Microsoft requires all drivers to be digitally signed. BYOVD (Bring Your Own Vulnerable Driver) scenario involves using one of the digitally signed drivers that has a security hole to gain direct access to the core of the OS. This attack vector applies to all OSes, not just Windows.

Continue Reading in the wiki:

WDAC policy for BYOVD Kernel mode only protection

Here is my YouTube video that shows the policy in action:

Explained everything that's happening in the video in the description of it.



My WDACConfig PowerShell module that helps you automate a LOT of operations.

WDACConfig

The cmdlet of the WDACConfig module responsible for Kernel-level BYOVD protection is this:

New‐KernelModeWDACConfig

More BYOVD protections, specially for enterprises and businesses, in this Rationale post:

Harden-Windows-Security/Rationale.md at main · HotCakeX/Harden-Windows-Security

If you have any questions, please feel free to comment down below or reach out at GitHub for code related stuff. Thanks


P.S this is all free, you don't have to buy anything extra nor pay for any subscription etc.

 

[WhiteMouse]

Matt Graeber had the same idea before, but it's not easy to do without bricking the computer a few times: https://posts.specterops.io/adventu...figuration-part-1-device-drivers-fd1a281b35a8

 

[SpyNetGirl]

Matt Graeber had the same idea before, but it's not easy to do without bricking the computer a few times: https://posts.specterops.io/adventu...figuration-part-1-device-drivers-fd1a281b35a8

My method doesn't cause such problems. I carefully created it from scratch without relying on any previous or old info, and documented everything I found out on GitHub, that's why it works and I've been using it since then

 

[WhiteMouse]

It might solve BYOVD (Bring Your Own Vulnerable Driver) problem but it created BMOPC (Brick My Own Personal Computer) problem for me.

 

[NormanF]

Not recommended! With running an endpoint security product, this can be avoided.

 

[SpyNetGirl]

Not recommended! With running an endpoint security product, this can be avoided.

There is something called Defense in depth, real security is achieved in multiple layers, not just one.

 

[Victor M]

The author Spynetgirl is no longer active in this forum. If you type @ and her avatar name, you will see it is no longer in the list of choices.

 

[bazang]

The author Spynetgirl is no longer active in this forum. If you type @ and her avatar name, you will see it is no longer in the list of choices.

People have to create a GitHub account and then contact her via GitHub.

SpyNetGirl was not able to accept anything other than her own views on security. Only her way of doing security is the correct way to do security. She does not play well with others. So she left MT a while back.

 

[Victor M]

Only her way

Yes, she seems to think MS's solutions are infallible.

Apart from WDAC, I think most of MS's efforts are patch work solutions. Something is broken, so they make a new replacement, or a new add in piece to it but leaves the old bypassable method intact for fear of breaking holy backward compatiblity. People who don;t know better will keep on using the old insecure way, version after new version ( of windows ).

I understand that some companies want to maximize the return on tech investments.

 

[bazang]

Apart from WDAC, I think most of MS's efforts are patch work solutions.

Microsoft treats everything as modular. It packages those modules together and then ships them on Windows.

Windows has always been modular. Each module is independent of each other (and is intended by design to be disabled or removed if not needed).

However, Microsoft has a long-standing history of not integrating modules very well and that includes management of the development of those modules. The development teams are very siloed.

WDAC was launched. Then its development stalled for years. Then someone at Microsoft decided to start development again, and then integrate Smart App Control.

Microsoft Security really wants to put default deny onto Windows for Home, but Microsoft will not because of all the "users that want to use stuff" who will complain.

You and I can come up with a long list of Microsoft security items that were started, but never finished. Or they started but are now stalled at a half-baked stage.

Something is broken, so they make a new replacement, or a new add in piece to it but leaves the old bypassable method intact for fear of breaking holy backward compatiblity. People who don;t know better will keep on using the old insecure way, version after new version ( of windows ).

Backwards compatibility is a thing because of enterprises and government organizations.

Who needs PowerShell v2.0 enabled by default? Enterprises and the US Government. That's who. So PoSh v2 - that utterly insecure garbage - gets foisted upon everyone else because Microsoft releases a generic version of its OS to everyone.