Every Windows PC comes with a built-in security feature called Windows Defender Application Control (WDAC). This helps to prevent unauthorized software from running by allowing only trusted applications.
However, despite its purpose, hackers have discovered several ways to bypass WDAC and expose their systems to malware, ransomware and other cyber threats.
As a result, what once considered a strong defence layer could function as a potential vulnerability if not properly managed.
Image of a Windows laptop. (Kurt “Cyberguy” Knutsson)
What is Windows Defender Application Control (WDAC) bypass?
Windows Defender Application Control (WDAC) is a Windows security feature that enforces strict rules that allow applications to execute. It helps to block rogue software, but researchers have found ways to bypass these protections.
Bobby Cook, Red Team Operator for IBM X-Force Red Confirmed The Microsoft team can be used as a WDAC bypass. He explained that while operating the Red team, he was able to avoid WDAC and run Stage 2 commands and control payloads.
Click here to get your Fox business on the go
To find and fix these security gaps, Microsoft runs a bug bounty program that rewards researchers to report vulnerabilities in WDAC and other security components. However, some by-perstechniques have not been patched for a long period of time.
The team’s electronic API surface has been revealed. (IBM)
doubleclickjacking hack turns double clicks and considers acquisitions
How hackers bypass Windows Defender application controls
One important way for attackers to avoid WDAC is to use Live-Off-the-Land-the-Land-the-Binaries or Lolbins. These are legitimate system tools pre-installed on Windows, but they can be reused to run rogue code while avoiding security detection. These tools are trusted by the system, providing an easy way to slide past defenses.
Some bypass techniques include DLL techniques involving an attacker tricking a legitimate application into loading a malicious DLL instead of what was intended. Furthermore, if the WDAC policy is not properly enforced, an attacker can change execution rules to allow the user to run malicious software.
Hackers also use unsigned or loosely signed binaries. WDAC relies on code signing to verify the reliability of your application. However, an attacker may misuse the incorrect mining while loosely signed or unsigned binaries are mispermitted, causing the attacker to execute malicious payloads.
If an attacker bypasses WDAC, the payload can be performed without flagging traditional security solutions. This means you can deploy ransomware, install backdoors, and move sideways within your network without causing immediate doubt. Many of these attacks use built-in Windows tools, making detection of malicious activity even more difficult.
Windows Defender vs Antivirus software: Free protection is missing
Image of a Windows laptop. (Kurt “Cyberguy” Knutsson)
Relentless Hacker abandons Windows to target Apple ID
3 Ways to Protect Your PC from WDAC Hackers
This attack exploits vulnerabilities within WDAC, so there is little that can be done to fully protect yourself. It’s up to Microsoft to fix the issue. However, here are three best practices you can follow to reduce your risk:
1. Continue updating your Windows: Microsoft regularly releases security updates that patch vulnerabilities, including those related to WDAC. Keeping Windows and Microsoft Defenders up to date ensures up-to-date protection against known threats. If you don’t know how to do that, take a look at me A guide to how to update all devices and apps.
2. Be careful when downloading software: Install only applications from trusted sources, such as the Microsoft Store and official vendor websites. Avoid pirated software as malicious code like WDAC can be bundled with security protections.
What is Artificial Intelligence (AI)?
3. Use powerful antivirus software: Based on the report, it does not appear that hackers need user interaction to bypass WDAC. The described methods suggest that attackers can exploit these vulnerabilities without direct user input, especially if they already have some access to the system.
However, in real-world scenarios, attackers often combine such exploits with social engineering or phishing to gain initial access. For example, if an attacker gains access through a phishing attack, he might use the WDAC bypass method to perform even more malicious payloads.
Therefore, while some by-performing techniques may not require direct user input, attackers often use user actions as entry points before exploiting the WDAC vulnerability. The best way to avoid becoming a victim is to install powerful antivirus software. Get the best 2025 Antivirus Protection Winners picks for Windows, Mac, Android and iOS devices.
Clickfix malware will trick you into infecting your own Windows PC
Important takeouts in your cart
Windows Defender Application Control (WDAC) offers a valuable layer of security, but that’s not insane. Hackers are actively developing WDAC bypass technology to leverage the system defense gap. Understanding the behavior of WDAC bypass is essential to protecting your device. Keeping your software up to date, using reliable applications, and relying on reputable security tools can significantly reduce your risk.
Click here to get the Fox News app
Do you think Microsoft is doing enough to patch these vulnerabilities, or should they take more powerful actions? Write us and let us know cyberguy.com/contact
For more information about my tech tips and security alerts, sign up for our free Cyberguy Report Newsletter cyberguy.com/newsletter
Please ask Cart questions or tell us what stories you would like us to cover.
Follow your cart on his social channels:
Answers to the most accused Cyber Guy questions:
New from Cart:
Copyright 2025 cyberguy.com. Unauthorized reproduction is prohibited.
