We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

NewApp Digest
search bot

Hackers Bypass Windows Defender Security—What You Need To Know

March 29, 2025

In a recent turn of events that has left Windows users on edge, elite red team hackers have unveiled a significant vulnerability in the Windows ecosystem. Following a series of alarming incidents—including a zero-day vulnerability compromising Windows passwords and a ransomware scheme offering a 0,000 threat for rent—security concerns have escalated further with the confirmation of a method to bypass Windows Defender Application Control (WDAC). This security feature, designed to restrict application execution to trusted software, now faces scrutiny as its integrity is challenged.

Windows Defender Application Control Bypass

For those unfamiliar with Windows Defender Application Control, it serves as a protective measure against malware and untrusted software. According to Microsoft, this tool is intended to prevent malicious code from executing by ensuring that only verified software can run on a device. Essentially, WDAC acts as a security boundary, maintaining a list of approved applications that are deemed safe for use on personal computers. Notably, any successful bypass of this system is eligible for Microsoft’s bug bounty program, attracting the attention of skilled hackers eager to exploit potential weaknesses.

Bobby Cooke, a red team operator at IBM X-Force Red, has confirmed that the Microsoft Teams application presented a viable target for bypassing WDAC. During their operations, Cooke’s team successfully navigated around the security controls, executing their Stage 2 Command and Control payload with alarming ease.

The Windows Defender Bypass Methodology

While the full report detailing the attack is highly technical and essential reading for security professionals, a brief overview of the techniques employed by the X-Force Red team reveals the sophistication of their approach:

  1. Utilized a known method involving “Living Off The Land Binaries” (LOLBINS), which allows malicious activities to be concealed within pre-installed Windows system binaries, such as MSBuild.exe.
  2. Side-loaded a trusted application with an untrusted dynamic linked library, effectively bypassing security measures.
  3. Exploited a custom exclusion rule from a client WDAC policy, creating an opening for attack.
  4. Discovered a new execution chain within a trusted application that facilitated the deployment of their Command and Control infrastructure.

To mitigate these vulnerabilities, organizations must implement recommended block list rules or utilize alternative solutions capable of detecting common LOLBINs. Additionally, ensuring that Windows Defender Application Control is enabled with enforced DLL signing can help thwart such bypass attempts.

In response to these developments, a Microsoft spokesperson acknowledged awareness of the WDAC bypass report, stating, “We are aware of this report and will take action as needed to help keep customers protected.”

Winsage
Hackers Bypass Windows Defender Security—What You Need To Know