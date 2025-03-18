Windows Defender Application Control (WDAC) is a security solution that restricts execution to trusted software. Since it is classified as a security boundary, Microsoft offers bug bounty payouts for qualifying bypasses, making it an active and competitive field of research.

Typical outcomes of a WDAC bypass bug bounty submission:

Bypass is fixed; possible bounty awarded

Bypass is not fixed but instead "mitigated" by being added to the WDAC recommended block list. Likely no bounty awarded but honorable mention is typically given

Bypass is not fixed, no bounty awarded, no honorary mention

Looking at Microsoft’s WDAC recommended block list we see legends like Jimmy Bayne (@bohops) and Casey Smith (@subTee) have discovered WDAC bypasses that remain unfixed but have been given honorary mentions. Looking beyond this list, the LOLBAS Project contains additional unfixed bypasses that have not been acknowledged in Microsoft's block list. One example is the Microsoft Teams application, which remains a viable WDAC bypass despite being documented in LOLBAS.

When encountering WDAC during Red Team Operations, we successfully bypassed it and executed our Stage 2 Command and Control (C2) payload using the following techniques:

1. Use a known LOLBIN like MSBuild.exe

Works if the client has not implemented the recommended block list rules.

Many EDR solutions with “100% MITRE Coverage” have detections for these well-known LOLBINs.

2. DLL side-load a trusted application with an untrusted DLL

Effective if WDAC is enabled but not enforcing DLL signing.

3. Exploit custom exclusion rule from the client's WDAC policy

CRTO2 by Daniel Duggan (@_RastaMouse) does a great job covering this.

Viable if started from the assumed breach with VDI/RDP access

4. Find a new execution chain in a trusted application that allows C2 deployment