BSides Toronto 2020

Windows Defender Exploit Guard v Unpatched Software and Zero Day exploits
2020-10-18, 14:00–14:20, Twitch

We'll use a a handful of demonstrations to show how Windows Defender Exploit Guard can be can be quickly configured to protect otherwise vulnerable applications against exploits and common adversary techniques. We'll talk about how to set things up quickly in an enterprise environment and discuss the mistakes we made in our exploit guard journey so that you can avoid them for your company.


Windows Defender Exploit Guard is the built in replacement for EMET in Windows 10. It provides protection against the most common exploit approaches and can be configured quickly and easily to either prevent them, or log alerts if they are detected. In this short talk we'll configure exploit guard on an otherwise vulnerable test application and demonstrate how exploit guard has the potential to provide significant cover against zero day vulnerabilities and applications that you've been unable to patch. We'll also talk through the way it can be deployed in an enterprise setting and list the mistakes we made when we first attempted to do so. By the end of the talk you'll have a solid understanding of how to quickly start testing exploit guard for the applications most important to you; how to deploy it on a single computer, or at scale; and which configurations are likely to cause more harm than good with this powerful, free and built-in Windows defensive capability.

Chad is currently an Infrastructure Security Engineer at Palantir.

Prior to Palantir he worked on Active Directory and Security at Microsoft & was lucky enough to be in the right place at the right time to become a Microsoft Certified Master (MCM) for Directory Services (Active Directory) as part of the gig. He also spent some time in the Windows Engineering team working on Kernel Security & the Registry.

During the work day, most of his time is spent helping to build secure systems and infrastructure. Any free nerd hours outside of the office are spent on offensive security and exploit development.