The year of #WDAC #wdacwednesday - January 2023
January 2023 had 6 threat campaigns in Microsoft Defender for Endpoint analyzed. 1 Threat campaign did not involve executing code on client systems, so there’s no reasonable expectation that an application control technology could stop this. We mark these campaigns as out-of-scope for our analysis and statistics. 2 Threat campaign lacked enough details for us to make an informed decission as to whether an application control implementation could have stopped the campaign from wreaking havoc. We mark these campaigns as out-of-scope for our analysis and statistics.

The 3 other campaigns would have all been stopped by any Windows Defender Application Control implementation. Out of these 3, 1 campaign made use of dll’s, PowerShell scripts and the well-known RegSvr32 bypass for Applocker. The threat actors behind this campaign clearly used knowledge of Applocker and popular implementations of it to allow their campaign to move forward even when Applocker was implemented.

Summary: a perfect score for the WDAC team in january.

https://www.oscc.be/wdac/2023-The-year-of-WDAC-Month-01-January/
#infosec #security #windows10

#wdacwednesday #DFE has published 11 Threat analyst reports in the past 2 months.
5 of them are not relevant for appcontrol technologies. (Insufficient detail in report to assess (2), non-windows targets (2), No code execution used (1)).

Of the 6 others, 2 would've been blocked by the most rudimentary applocker implementation. 4 would not have prevented the hands-on keyboard stage without script enforcement in place.

1 Used the well-known applocker regsvr32 bypass, 2 used DLL sideloading to avoid needing exes.

None would have passed a WDAC implementation that did not specifically disable script enforcement.

OSCC's point of view is that app control without script enforcement is but a mild nuisance for attacks that involve hands-on keyboard, forcing them to switch to PowerShell.