A significant vulnerability in Windows Defender Application Control (WDAC) implementations, demonstrating how attackers can circumvent strict security policies through Microsoft’s own debugging tool. 

The exploit leverages WinDbg Preview, available through the Microsoft Store, to inject malicious code into legitimate processes, effectively bypassing security controls designed to prevent unauthorized code execution.

WDAC Bypass via Microsoft Store

In an “assume breached” scenario documented on April 7, 2025, researchers discovered that while organizations may implement robust WDAC policies blocking unsigned executables and DLLs, a critical oversight exists if the Microsoft Store remains accessible. 

The vulnerability stems from Microsoft’s recommended WDAC blocklist, which includes the legacy windbg.exe but fails to address the newer WinDbg Preview (WinDbgX.exe) available through the Microsoft Store.

“The enforced WDAC policies basically made it impossible to run any unsigned executables or load unsigned DLLs, the various lolbins were explicitly blocked as well”, CerberSec reports.

“To my surprise, the Microsoft Store had not been disabled and allowed installing verified applications such as WinDbg Preview edition”.

The bypass technique involves a multi-stage process leveraging WinDbg’s debugging capabilities. First, attackers convert malicious shellcode into a WinDbg script format using a custom Python script. 

The script generates commands that load shellcode byte-by-byte into memory using WinDbg’s .foreach and eb commands:

With the shellcode loaded into memory, the attacker then exploits WinDbg’s ability to manipulate register states through a series of commands that set up and execute Windows API calls for remote process injection. The technique follows the classic injection pattern:

• OpenProcess() to gain access to the target process.
• VirtualAllocEx() to allocate memory in the target process.
• WriteProcessMemory() to copy the shellcode.
• CreateRemoteThread() to execute the shellcode.

The entire attack leverages WinDbg’s built-in r and eq commands to set up the 64-bit calling convention parameters in appropriate registers (RCX, RDX, R8, R9) before redirecting execution flow to the Windows API functions.

This technique is particularly concerning because it demonstrates how attackers can weaponize legitimate, signed Microsoft tools to bypass security controls. 

The bypass works because WinDbg Preview uses SetThreadContext() API calls under the hood, which security products may not flag when executed by a trusted Microsoft application.

Mitigations

Security experts recommend immediate action for organizations utilizing WDAC:

• Disable the Microsoft Store in hardened environments.
• Explicitly include WinDbgX.exe in WDAC blocking policies.
• Monitor for suspicious SetThreadContext() API calls, particularly from debugging tools.

This discovery underscores the constant challenge security teams face with application control strategies and the importance of regularly reviewing and updating security policies to address emerging bypass techniques that leverage trusted applications.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy