Bypassing Windows Defender Application Control (WDAC) might sound like something reserved for blockbuster spy movies, but in today’s threat landscape, it’s a real, high-stakes game played by red teams and security researchers alike. At the heart of this article is the in-depth exploration of Loki C2—a JavaScript-based Command and Control (C2) framework that evades even the strictest WDAC policies by leveraging the quirks of Electron applications. Let’s unpack how this clever technique works and what it means for both cybersecurity professionals and Windows users.
Recent exploits have shown that while WDAC is a formidable barrier, it isn’t infallible. Lists curated by entities like the LOLBAS Project and researchers such as Jimmy Bayne and Casey Smith continuously expose methods that circumvent WDAC—whether the vulnerabilities are fixed, mitigated, or simply remain overlooked. This active field of research highlights both the dedication and the ingenuity of security professionals, whose work forces all parties to continually rethink trust and execution rules.
• Using well-known LOLBAS like MSBuild.exe can sometimes work when a client hasn’t implemented the appropriate block list rules.
• Deploying DLL side-loading by injecting an untrusted DLL into a trusted application can bypass WDAC’s scrutiny—as long as the application does not enforce strict DLL signing.
• Exploiting custom exclusion rules in WDAC policies, such as CRTO2, demonstrates that even tailored defenses can be subverted if the underlying assumptions are not correctly fortified.
These methods create a layered approach that, when combined, provide red teams with multiple ways to achieve code execution under a WDAC policy. But if you think these techniques are limited to classic Windows executables, think again.
The ease with which Electron applications can be modified marks a double-edged sword. On one hand, developers appreciate the flexibility; on the other, attackers can exploit the dynamic nature of JavaScript execution within these trusted processes. In one striking example, researchers replaced the contents of a legacy Microsoft Teams application’s resources folder with their own payload. Because the executable itself remains Microsoft-signed, WDAC does not block it, allowing untrusted JavaScript to run inside a trusted process.
An important nuance here is that while the Electron process is sheltered by WDAC (thanks to its Microsoft signature), the payload delivered via its JavaScript is not subjected to the same level of scrutiny. This method cleverly sidesteps one of WDAC’s most rigid rules: preventing the execution of unsigned code. By piggybacking on a trusted application, the adversary effectively gains a free pass.
This capability is not just a neat trick; it has practical implications. By calling functions like getProcessList directly from JavaScript, Loki C2 retrieves process data in JSON format, neatly sidestepping the need for spawning child processes (a typical red flag for EDR solutions). This means that an attacker can enumerate system processes without tipping off the security tools that monitor for unusual PowerShell or command prompt activity.
What happens next is ingenious: an adversary copies their own Loki C2 Agent’s resources and overwrites the contents of the Teams application's /resources/app/ directory. Since Teams.exe itself is signed by Microsoft, WDAC allows its execution. However, the trusted application now runs modified code—the Loki payload crafted in JavaScript—thereby establishing a covert C2 channel.
This technique cleverly exploits WDAC’s trust model. Instead of attempting to introduce an entirely new, unsigned executable into the system, it repurposes a legitimate, trusted application to act as a conduit for malicious code. In this demo, the Loki C2 Agent successfully calls back to an external C2 server, executes intentional commands, and orchestrates remote control of the compromised server.
Loki C2’s next evolution involved building an entire framework in JavaScript. By designing the C2 agent entirely in JavaScript to run within a trusted process (like Teams), researchers eliminated the need to load unsigned DLLs or trigger suspicious process spawns. This sophisticated approach involves several key functionalities:
• Retrieving the deployed WDAC policy from the target system
• Scanning for exploitable exclusions within the WDAC policy
• Uploading and executing a Stage 2 C2 payload seamlessly
• Dynamically loading additional Node modules to extend capabilities
This fully JavaScript-based C2 framework minimizes the risk of detection while still providing extensive control over compromised systems.
Defenders might claim “100% MITRE Coverage” in their marketing, but the evolving nature of these techniques challenges whether such coverage is truly comprehensive. Modern EDRs must adapt not only to well-known malware behaviors but also to the subtleties involved in repurposing trusted applications for nefarious ends.
• Enhanced monitoring of application behavior—even for trusted, signed executables
• Regular audits of WDAC policies and their associated block lists
• Greater integration of behavioral analytics within EDR solutions to flag anomalous intra-process operations
• Increased collaboration between threat researchers and security tool vendors to bridge the gap between traditional signature-based detections and more subtle, seemingly benign behaviors
It also places a call to arms for red teams: knowing the intricacies of Electron and Node.js empowers security professionals to better understand what attackers might do, allowing them to build defenses that are one step ahead.
For IT professionals and Windows users alike, the lesson is clear: security is not static. As red teams refine their toolkits and techniques—whether through modified Node modules or exploiting Electron’s dynamic nature—defenders must keep evolving their strategies. Regular audits, enhanced monitoring, and real-time analysis are not optional but essential components of a modern cybersecurity posture.
The Loki C2 narrative reaffirms the age-old adage in security: never take trust at face value. As researchers continue to innovate, the landscape will undoubtedly see more surprises. And for those who claim total coverage—perhaps it’s time to question whether the next breakthrough isn’t already on the horizon.
In this ever-shifting field of cybersecurity, staying informed isn’t just prudent; it’s imperative.
Source: Security Intelligence Bypassing Windows Defender Application Control with Loki C2
Understanding WDAC and Its Bug Bounty Game
Windows Defender Application Control is designed as a robust security boundary that only permits the execution of trusted software. For Microsoft, this is so critical a feature that the company offers bug bounty payouts for qualifying bypasses. Researchers who discover a bypass might see a swift fix from Microsoft, or in some cases, receive an honorable mention (or even a bounty) if their method is mitigated through the recommended block list. However, if a bypass remains unfixed and its risks underestimated, neither reward nor recognition is given.Recent exploits have shown that while WDAC is a formidable barrier, it isn’t infallible. Lists curated by entities like the LOLBAS Project and researchers such as Jimmy Bayne and Casey Smith continuously expose methods that circumvent WDAC—whether the vulnerabilities are fixed, mitigated, or simply remain overlooked. This active field of research highlights both the dedication and the ingenuity of security professionals, whose work forces all parties to continually rethink trust and execution rules.
The Bypass Arsenal: LOLBAS, DLL Side-loading, and Custom Exclusions
In the wild world of red team operations, researchers have identified multiple techniques to bypass WDAC. Here’s a quick rundown:• Using well-known LOLBAS like MSBuild.exe can sometimes work when a client hasn’t implemented the appropriate block list rules.
• Deploying DLL side-loading by injecting an untrusted DLL into a trusted application can bypass WDAC’s scrutiny—as long as the application does not enforce strict DLL signing.
• Exploiting custom exclusion rules in WDAC policies, such as CRTO2, demonstrates that even tailored defenses can be subverted if the underlying assumptions are not correctly fortified.
These methods create a layered approach that, when combined, provide red teams with multiple ways to achieve code execution under a WDAC policy. But if you think these techniques are limited to classic Windows executables, think again.
Electron Applications: A Trojan Horse in Plain Sight
Electron applications have fundamentally redefined how desktop apps are built by combining the widespread accessibility of web technologies with the power of Node.js. Applications like Microsoft Teams run as Electron apps, meaning they rely on JavaScript, HTML, and CSS to dynamically render desktop interfaces. At runtime, these apps read JavaScript files and—thanks to Node.js—can perform operations that surpass the abilities of browsers, including file manipulation and executing arbitrary commands.The ease with which Electron applications can be modified marks a double-edged sword. On one hand, developers appreciate the flexibility; on the other, attackers can exploit the dynamic nature of JavaScript execution within these trusted processes. In one striking example, researchers replaced the contents of a legacy Microsoft Teams application’s resources folder with their own payload. Because the executable itself remains Microsoft-signed, WDAC does not block it, allowing untrusted JavaScript to run inside a trusted process.
How Does This Work in Practice?
Consider the scenario where an Electron application’s JavaScript file is modified. Teams, for instance, executes its JavaScript through Node.js using the child_process module. This module, in turn, invokes native APIs (via uv_spawn) that allow the app to interact directly with the operating system. By replacing the original JavaScript with a payload that calls back to a remote C2 server, adversaries can essentially weaponize a legitimate application.An important nuance here is that while the Electron process is sheltered by WDAC (thanks to its Microsoft signature), the payload delivered via its JavaScript is not subjected to the same level of scrutiny. This method cleverly sidesteps one of WDAC’s most rigid rules: preventing the execution of unsigned code. By piggybacking on a trusted application, the adversary effectively gains a free pass.
Exploiting Signed Node Modules: The Case of windows_process_tree.node
To further compound the challenge for defenders, researchers have discovered that signed Node modules bundled with popular applications can be reverse-engineered and used to execute arbitrary code. One notable example is windows_process_tree.node—a module provided with Visual Studio Code. While Node modules typically hide much of their exported functionality, techniques exist to reveal callable functions, such as getProcessList and getProcessCpuUsage.This capability is not just a neat trick; it has practical implications. By calling functions like getProcessList directly from JavaScript, Loki C2 retrieves process data in JSON format, neatly sidestepping the need for spawning child processes (a typical red flag for EDR solutions). This means that an attacker can enumerate system processes without tipping off the security tools that monitor for unusual PowerShell or command prompt activity.
Demonstrating WDAC Bypass with Loki C2
A recent demo highlighted the sophisticated execution of this technique. In the demonstration, WDAC is deployed using a Default Windows Mode policy—one of the strictest configurations available. With WDAC enforcing stringent rules (including merging with Microsoft’s recommended block lists), any unsigned executable is immediately blocked.What happens next is ingenious: an adversary copies their own Loki C2 Agent’s resources and overwrites the contents of the Teams application's /resources/app/ directory. Since Teams.exe itself is signed by Microsoft, WDAC allows its execution. However, the trusted application now runs modified code—the Loki payload crafted in JavaScript—thereby establishing a covert C2 channel.
This technique cleverly exploits WDAC’s trust model. Instead of attempting to introduce an entirely new, unsigned executable into the system, it repurposes a legitimate, trusted application to act as a conduit for malicious code. In this demo, the Loki C2 Agent successfully calls back to an external C2 server, executes intentional commands, and orchestrates remote control of the compromised server.
Upgrading to a Stealthy Stage 2 C2
While initial access via modified Electron applications is a noteworthy achievement, it is only part of the equation. Once a foothold is established, adversaries often need a more stealthy “Stage 2” C2 agent that can operate undetected over extended engagements. Traditional techniques might rely on spawning child processes or using PowerShell—methods that are frequently flagged by modern Endpoint Detection and Response (EDR) solutions with “100% MITRE Coverage.”Loki C2’s next evolution involved building an entire framework in JavaScript. By designing the C2 agent entirely in JavaScript to run within a trusted process (like Teams), researchers eliminated the need to load unsigned DLLs or trigger suspicious process spawns. This sophisticated approach involves several key functionalities:
• Retrieving the deployed WDAC policy from the target system
• Scanning for exploitable exclusions within the WDAC policy
• Uploading and executing a Stage 2 C2 payload seamlessly
• Dynamically loading additional Node modules to extend capabilities
This fully JavaScript-based C2 framework minimizes the risk of detection while still providing extensive control over compromised systems.
MITRE ATT&CK and the Future of WDAC Bypass Techniques
In mapping these tactics to the MITRE ATT&CK framework, Loki C2 aligns with Technique T1218.011—System Binary Proxy Execution through Electron Applications. This designation underscores just how novel and nuanced this approach is; even with a mapped TTP, the unique method of “hollowing out” an Electron application to inject C2 code remains largely undetected by many current security solutions.Defenders might claim “100% MITRE Coverage” in their marketing, but the evolving nature of these techniques challenges whether such coverage is truly comprehensive. Modern EDRs must adapt not only to well-known malware behaviors but also to the subtleties involved in repurposing trusted applications for nefarious ends.
Broader Implications for Cybersecurity
For the Windows community and IT professionals at large, these developments serve as a stark reminder that trust frameworks can be subverted by innovative methods. When a signed application like Microsoft Teams becomes a Trojan horse, the integrity of trusted systems is put under question, demanding several proactive responses:• Enhanced monitoring of application behavior—even for trusted, signed executables
• Regular audits of WDAC policies and their associated block lists
• Greater integration of behavioral analytics within EDR solutions to flag anomalous intra-process operations
• Increased collaboration between threat researchers and security tool vendors to bridge the gap between traditional signature-based detections and more subtle, seemingly benign behaviors
It also places a call to arms for red teams: knowing the intricacies of Electron and Node.js empowers security professionals to better understand what attackers might do, allowing them to build defenses that are one step ahead.
Final Thoughts
In the high-wire act between security measures and attack strategies, the Loki C2 approach illustrates how even the most robust defenses can be circumvented through clever re-engineering. By combining the known strengths of trusted Electron applications with the subtle power of JavaScript-based payloads, adversaries are pushing the boundaries of what is considered “safe” on Windows systems.For IT professionals and Windows users alike, the lesson is clear: security is not static. As red teams refine their toolkits and techniques—whether through modified Node modules or exploiting Electron’s dynamic nature—defenders must keep evolving their strategies. Regular audits, enhanced monitoring, and real-time analysis are not optional but essential components of a modern cybersecurity posture.
The Loki C2 narrative reaffirms the age-old adage in security: never take trust at face value. As researchers continue to innovate, the landscape will undoubtedly see more surprises. And for those who claim total coverage—perhaps it’s time to question whether the next breakthrough isn’t already on the horizon.
In this ever-shifting field of cybersecurity, staying informed isn’t just prudent; it’s imperative.
Source: Security Intelligence Bypassing Windows Defender Application Control with Loki C2
