WDAC policies

Microsoft's Windows Defender Application Control (WDAC) has become a target for cybersecurity researchers, with bug bounty payouts for successful bypasses. IBM's X-Force team reported various outcomes from WDAC bypass submissions, including successful bypasses that lead to potential bounties, those added to the WDAC recommended block list, and submissions without recognition. Notable contributors like Jimmy Bayne and Casey Smith have made significant discoveries, while the LOLBAS Project has documented additional bypasses, including the Microsoft Teams application. The X-Force team successfully bypassed WDAC during Red Team Operations using techniques such as utilizing known LOLBINs, DLL side-loading, exploiting custom exclusion rules, and identifying new execution chains in trusted applications. Electron applications, which can execute JavaScript and interact with the operating system, present unique vulnerabilities, as demonstrated by a supply-chain attack on the MiMi chat application. In preparation for a Red Team operation, Bobby Cooke's team explored the legacy Microsoft Teams application, discovering vulnerabilities in signed Node modules that allowed them to execute shellcode without triggering WDAC restrictions. They developed a JavaScript-based C2 framework called Loki C2, designed to operate within WDAC policies and facilitate reconnaissance and payload deployment. A demonstration of Loki C2 showcased its ability to bypass strict WDAC policies by modifying resources of the legitimate Teams application, allowing undetected code execution. The ongoing development of techniques and tools by the X-Force team reflects the evolving cybersecurity landscape and the continuous adaptation required to counter emerging threats.