Device Guard Configuration
This is another example of a misplaced trust bypass. A trusted signed binary that can allow unapproved execution.
I'll keep this post short and sweet.
This tool is well documented on MSDN:
How to Use the Debug Diagnostic Tool v1.1 (DebugDiag) to Debug User Mode Processes
Read that carefully ;-)
So... dbghost will execute vbs scripts. The next question is, what form? Anything special to do?
This is what caught my eye:
'Load the .NET debugger extension sos.dll (2.0 version) CmdOutput = g_Debugger.Execute("!load C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\SOS.dll") 'Get the size of the GC CmdOutput = g_Debugger.Execute("!eeheap -gc")
Couple of things there. If you are familiar with windbg, you will recognize that this allows you to not only execute .vbs... But you can execute windbg commands too.
Check out Matt Graeber's example of some things you could do with windbg scripts:
Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner
Thats it, I'll leave it for you to explore your own implementation here.
Special thanks to Matt Graeber and Matt Nelson for the ideas, inspiration, and confirmation of the bypass.
This tool is not default, but it may be in your fleet.
Thats all for now. Reading MSDN pays off again ;-)