A new security threat has emerged, allowing hackers to bypass the Windows Defender Application Control (WDAC) security layer. This vulnerability was discovered by IBM X-Force red team operator Bobby Cooke and could have significant implications for device security.
Windows Defender Application Control is designed to protect devices against malware and untrusted software. It works by enforcing a list of specific software that is trusted enough to run on a PC. However, hackers have found a way to bypass this layer using the Microsoft Teams application.
According to IBM X-Force, Cooke used a “Living Off The Land Binaries” method to hide malicious activity within a known and pre-installed Windows system binary. He also exploited a custom exclusion rule from a client WDAC policy and side-loaded a trusted application with an untrusted dynamic linked library.
The hackers found that the JavaScript engine used in Electron applications, Node.js, provided a powerful API for interacting with the host operating system. However, this gap was bridged by Node modules which could execute JavaScript within Electron applications.
To mitigate this vulnerability, customers must implement recommended block list rules or use another solution to detect common “Living Off The Land Binaries.” Additionally, Windows Defender Application Control should be enabled without enforcing DLL signing.
Microsoft has confirmed the report and stated that it will take action as needed to help keep customers protected. The company’s spokesperson said, “We are aware of this report and will take action as needed to help keep customers protected.”
This latest security threat highlights the importance of keeping software up-to-date and using robust security measures to protect devices from malware and untrusted software.
Source: https://www.forbes.com/sites/daveywinder/2025/03/30/hackers-bypass-windows-defender-security-what-you-need-to-know