Hackers bypass Windows Defender security comtrols.SOPA Images/LightRocket via Getty ImagesWhen you thought that things couldnt get much scarier for Windows users, elite red team hackers go and prove you wrong. First, there was a zero-day vulnerability leaving Windows passwords up for grabs, then a ransomware shocker as criminals put a $500,000 Windows threat up for rent, and even the discovery of a Windows rootkit to contend with. Now, it has been confirmed that theres a way to bypass Windows Defender Application Control, which is meant to restrict application execution to trusted software, with all the implications that brings to the security party. Heres what you need to know.Windows Defender Application Control BypassYou might not have heard of Windows Defender Application Control, so lets briefly explain what it does. In fact, let Microsoft explain: it is designed to protect devices against malware and other untrusted software. It prevents malicious code from running by ensuring that only approved code, that you know, can be run, Microsoft said. In other words, its a software-based security layer enforcing a list of specific software that is trusted enough to be allowed to run on your PC. Its also what is known as a security boundary and eligible for Microsoft bug bounty payments if it can be bypassed. This means, dear reader, there are a lot of hackers eyes on the thing, and one of them just found a way to do precisely that: bypass Windows Defender Application Control.Bobby Cooke, a red team operator working at IBM X-Force Red, or an elite hacker for want of a better definition, has confirmed that the Microsoft Teams application was a viable WDAC bypass target and, when encountering WDAC during Red Team Operations, we successfully bypassed it and executed our Stage 2 Command and Control payload. Uh oh Buck, bedoop, bedoop, bedoop.The Windows Defender Bypass MethodologyYou should go and read the full report, which is highly technical and seriously useful for any security defenders, for all the attack details, as its way too complex to cover here. However, the TL;DR when it comes to the techniques used by the X-Force red team hackers to be able to bypass the Windows Defender security controls and execute the payload is as follows:Used a known Living Off The Land Binaries method. LOBINS can hide malicious activity within a known and pre-installed Windows system binary, such as MSBuild.exe.Side-loaded a trusted application with an untrusted dynamic linked library.Exploited a custom exclusion rule from a client WDAC policy.Found a new execution chain in a trusted application to allow the C2 deployment.Mitigating number one requires the client to have implemented the recommended block list rules, or to be using another solution that can detect the most common LOLBINs.Mitigating number two is only effective if Windows Defender Application Control is enabled without enforcing DLL signing.I contacted Microsoft regarding the Windows Defender Application Control bypass, and a spokesperson said, We are aware of this report and will take action as needed to help keep customers protected.