Hackers Bypassed Windows Defender Policies Using WinDbg Preview via Microsoft Store

Summary: A new exploit allows attackers to bypass Windows Defender Application Control (WDAC) policies using the WinDbg Preview debugger, raising significant security concerns. This technique takes advantage of the debugger’s functionality to inject code into secure environments typically protected from unsigned executables. The vulnerability highlights a critical gap in enterprise security measures, particularly regarding the use of modern debugging tools.

Affected: Windows Defender Application Control (WDAC), Organizations using WinDbg Preview

Keypoints :

• Attackers can exploit the WinDbg Preview debugger to achieve code execution and remote process injection.
• The exploit operates by injecting shellcode into a target process, circumventing WDAC policies that block unauthorized code.
• Mitigations include updating WDAC blocklists, disabling the Microsoft Store, and closely monitoring debugging tool usage.