1688 words
8 minutes
WDAC Bypass Techniques — The Complete Reference Catalog

WDAC Bypass Techniques — The Complete Reference Catalog#

Companion to A Field Guide to WDAC Bypass Techniques — that post explains why the six mechanism families work. This one is the exhaustive catalogue: every publicly documented bypass, who published it, and where to read the original.

This is a reference index. Each entry is one documented technique, the researcher who published it, a one-line description of the mechanism, and a link to the original write-up. The facts (binary names, attributions, and URLs) are drawn from the public record and the canonical curated resource: Jimmy Bayn’s UltimateWDACBypassList. For the maintained, living list, always defer to that repository — this article exists to give the material a readable, searchable home on this blog.

A note on naming: Microsoft has rebranded Windows Defender Application Control (WDAC) as Application Control / Application Control for Business. The older names — Device Guard and UMCI (User-Mode Code Integrity) — still appear throughout the historical research and are preserved in the citations below.

Table of Contents#

  1. How to Read This Catalog
  2. Documented LOLBIN Bypasses
  3. On the Block List but Not Yet Publicly Documented
  4. Libraries Worth Knowing
  5. Other Unsigned-Code-Execution LOLBINs (Not on the List)
  6. PowerShell / UMCI / Constrained Language Mode
  7. COM, XSL, Office, and Active Scripting
  8. Novel Exploitation and BYOVA
  9. Defense, Policy Creation, Testing, and Research
  10. Using This Material Responsibly
  11. Source Repository

1. How to Read This Catalog#

Each technique is a Microsoft-signed (or Microsoft-distributed) binary or component whose legitimate function — compiling, debugging, interpreting, transforming, or installing — can be repurposed to execute attacker-supplied logic. WDAC evaluates at image-load time against signing trust; it does not generally ask “will this signed program run code from a file it reads?” That gap is what every row below exploits.

Two cross-cutting reminders from the source repository, worth pinning to the top:

  • The Microsoft recommended block list ships with two default-allow file rules (ID_ALLOW_A_1, ID_ALLOW_A_2) that must be removed when you apply it, or your “block” policy still allows more than you intend.
  • The block list is reactive. New signed primitives ship faster than the list updates — the Store-distributed WinDbg Preview is the textbook recent example.

2. Documented LOLBIN Bypasses#

BinaryMechanism (one line)Original research
addinprocess.exeCOM add-in host process loads attacker content in a trusted contextJames Forshaw — DG on Windows 10 S: Executing Arbitrary Code
addinprocess32.exe32-bit variant of the add-in host, same primitiveJames Forshaw — DG on Windows 10 S: Executing Arbitrary Code
addinutil.exeInsecure deserialization of add-in configuration data@McKinleyMike / @TheLatteri — Insecure Deserialization in AddinUtil.exe
aspnet_compiler.exeASP.NET compiler pre-processes/executes build-time logiccpl (@cpl3h) — The Curious Case of Aspnet_Compiler.exe
bginfo.exeSysinternals tool runs embedded VBScript from a .bgi configOddvar Moe — Bypassing AWL with BGInfo
cdb.exeConsole debugger executes shellcode via .script/memory primitivesMatt Graeber — WinDbg/CDB as a Shellcode Runner
csi.exeRoslyn C# interactive REPL runs C# scriptCasey Smith — CSI.EXE C# Scripting
dbghost.exeVisual Studio T4 template host executes template logicCasey Smith — Ghost And The Darkness
dnx.exe.NET execution environment runs project codeMatt Nelson — Bypassing AWL with DNX.EXE
dotnet.exe.NET Core CLI runs assemblies/commandsJimmy Bayn — DotNet Core: A Vector for AWL Bypass
fsi.exeF# interactive host executes F# inlineNick Tyrer / Jimmy Bayn — fsi.exe inline execution; Wfc/Fsi write-up
fsiAnyCpu.exeArchitecture-neutral F# host, same mechanismNick Tyrer / Jimmy Bayn — Wfc/Fsi write-up
infdefaultinstall.exeINF-driven installer runs an installer section’s directivesKyle Hanslovan / Chris Bisnett — Evading Autoruns
InstallUtil.exeInstaller host loads and invokes methods on an attacker assemblyJames Forshaw — DG on Windows 10 S: Abusing InstallUtil
Microsoft.Management.Services.IntuneWindowsAgent.exeIntune agent component abused to bypass controlKim Oppalfens — Intune Windows Agent Bypass (issue #1)
kill.exeProcess-kill utility; documented SEH buffer overflow as a primitive@hyp3rlinx — kill.exe SEH Buffer Overflow
Microsoft.Workflow.Compiler.exeWorkflow compiler deserialises and runs attacker logicMatt Graeber — Arbitrary Unsigned Code Execution Vector
msbuild.exeBuild engine compiles and runs inline C#/VB tasks from a project fileCasey Smith — Bypassing AWL using MSBuild.exe
mshta.exeHTA host runs embedded script@conscioushacker — Application Whitelisting Bypass: mshta.exe
powershellcustomhost.exeCustom PowerShell host that escapes the default constrained surfaceLasse Trolle Borup — A Simple Device Guard Bypass
rcsi.exeRoslyn C# script runner (non-interactive variant)Matt Nelson — Bypassing AWL with RCSI.EXE
runscripthelper.exeSigned utility executes PowerShell from a constrained pathMatt Graeber — Bypassing AWL with runscripthelper.exe
visualuiaverifynative.exeUI-automation verifier loads and runs codeLee Christensen / Jimmy Bayn — VisualUiaVerifyNative
wfc.exeF# workflow compilerMSRC / Matt Graeber tip, Jimmy Bayn write-up — Wfc/Fsi write-up
windbg.exeGUI debugger with the same scripting surface as cdbMatt Graeber — WinDbg/CDB as a Shellcode Runner
wmic.exeHonours an /format: flag pointing at an XSL stylesheet that runs scriptCasey Smith — WMIC Whitelisting Bypass — Hacking with Style
WSL family — bash.exe, lxrun.exe, wsl.exe, wslconfig.exe, wslhost.exeLinux subsystem executes code outside a Windows-only policy’s scopeAlex Ionescu — Fun with the Windows Subsystem for Linux (lxss)

3. On the Block List but Not Yet Publicly Documented#

These binaries appear on Microsoft’s recommended block list even where a full public abuse write-up is thin. The defensive assumption is that they share a debugger/loader/scripting primitive with documented neighbours and are blocked precautionarily.

  • dbgsvc.exe — debugger service host
  • kd.exe — kernel debugger
  • ntkd.exe — kernel debugger (legacy)
  • ntsd.exe — console debugger (NT symbol debugger)
  • texttransform.exe — T4 text templating transformation host
  • HVCIScan.exe — Hyper-V code-integrity scanning utility

4. Libraries Worth Knowing#

DLLs that appear on the block list. Independent abuse of these is “may or may not be interesting” territory, but they are the loaded code behind several techniques above and worth recognising in telemetry.

  • Microsoft.Build.dll
  • Microsoft.Build.Framework.dll
  • msbuild.dll
  • lxssmanager.dll — the WSL service implementation
  • system.management.automation.dll — the PowerShell engine
  • webclnt.dll / davsvc.dll — WebDAV client/service (the classic \\host@port\resource path)
  • mfc40.dll

5. Other Unsigned-Code-Execution LOLBINs (Not on the List)#

BinaryMechanism (one line)Original research
dbgsrv.exeDebugger server used to attach and drive code execution remotelyCasey Smith / Ross Wolf — How to Bypass WDAC with dbgsrv.exe (FortyNorth); Fantastic Red-Team Attacks (Black Hat)
WinDbgX.exeStore-distributed, Microsoft-signed WinDbg Preview; outside the recommended block list; injects shellcode via .wds scriptingCerberSec — Bypass WDAC WinDbg Preview — see also my deep-dive

6. PowerShell / UMCI / Constrained Language Mode#

When WDAC policy includes UMCI, PowerShell is forced into Constrained Language Mode (CLM). A long line of research covers escapes from CLM and the surrounding UMCI surface.

TechniqueMechanism (one line)Original research
PSWorkflowUtility (CVE-2017-0215)Workflow utility abused to escape constrained language modeMatt Nelson — UMCI Bypass using PSWorkflowUtility
Defeating Device Guard (CVE-2017-0007)Device Guard bypass via the named-pipe/rpc surfaceMatt Nelson — Defeating Device Guard: A Look into CVE-2017-0007
PowerShell code injection → CLM escapeInjecting code into an already-running full-language PowerShell hostMatt Graeber — Exploiting PowerShell Code Injection to Bypass CLM
CVE-2017-8715Bypass of the CVE-2017-0218 fix via PowerShell module manifestsMatt Nelson — A Look at CVE-2017-8715
CVE-2018-8212 (MSFT_SCRIPTRESOURCE)DSC script resource abused to bypass Device Guard/CLMMatt Nelson — CVE-2018-8212: Device Guard/CLM Bypass
Invoke-History CLM bypassReplaying a history entry to escape constrained modeMatt Graeber — Invoke-History bypass (post)

7. COM, XSL, Office, and Active Scripting#

A dense family: trusted engines that interpret a markup, manifest, or transform format and execute embedded code.

TechniqueMechanism (one line)Original research
.NET assembly compilation methodsCompiler APIs invoked from script to assemble and run code in-policyMatt Graeber — Bypassing Device Guard with .NET Assembly Compilation Methods
Sneaking Past Device Guard (CVE-2018-8417)Script-integrity bypass via Office/scripting surfacePhilip Tsukerman — Sneaking Past Device Guard (HITB)
WLDP CLSID-policy .NET COM instantiationInstantiate a .NET COM object exempted from WLDP to escape UMCIJames Forshaw — Project Zero issue #1514
WSH injectionWindows Script Host injection case study for UMCI bypassMatt Nelson — WSH Injection: A Case Study
winrm.vbsSigned script host abused for arbitrary unsigned executionMatt Graeber — Arbitrary Unsigned Code Execution in winrm.vbs
COM XSL transformation (CVE-2018-8492)XSL transform through COM defeats several application-control productsJimmy Bayn — COM XSL Transformation
Catalog-file hygieneAbuse of signature-catalog trust to launder unsigned code as signedJimmy Bayn — Abusing Catalog Hygiene
CHM (CVE-2017-8625)HTML Help as a UMCI bypass vectorOddvar Moe / Matt Nelson — Bypassing Device Guard UMCI using CHM
UMCI vs Internet Explorer (CVE-2017-8625)IE scripting surface leveraged against the same underlying flawMatt Nelson — UMCI vs Internet Explorer
Previous-version signed script hosts + catalogsOlder signed script hosts and catalog files used to bypass WDACWilliam Easton — VULN-051861 advisory

8. Novel Exploitation and BYOVA#

TechniqueMechanism (one line)Original research
Browser exploit → WDAC bypassA memory-corruption exploit in a trusted browser achieves execution WDAC must permitValentina Palmiotti — Operationalizing browser exploits to bypass WDAC (IBM X-Force)
WDAC bypass via Loki C2 (Electron/Node)A signed Electron shell runs JavaScript payloads; the shell is trusted, the payload is dataBobby Cooke (0xBoku) — Bypassing WDAC with Loki C2 (IBM X-Force)

9. Defense, Policy Creation, Testing, and Research#

The other half of the catalog: the tooling and deep-dive material for building, deploying, auditing, and testing WDAC policies. This is the material you want on the blue-team desk.

ResourceWhat it isLink
WDAC stream playlistMatt Graeber’s video series covering creation, enforcement, bypass, and audit@mattifestation playlist
WDAC Policy WizardMicrosoft’s official tool for authoring and editing policiesMicrosoftDocs/WDAC-Toolkit
WDACToolsPowerShell module to build, configure, deploy, and audit policiesmattifestation/WDACTools
WDACPoliciesBaseline software notes + corresponding sample policiesmattifestation/WDACPolicies
DeviceGuardBypassMitigationRulesReference deny policy blocking the published bypasses — companion to this catalogmattifestation/DeviceGuardBypassMitigationRules
Building a WDAC labStand up a test environment end-to-endFortyNorth Security
Documenting & attacking a WDAC featureCase study in security-research methodologyMatt Graeber — SpecterOps
WinAWLWindows application-control notes and sample policiesBrian in Pittsburgh — arekfurt/WinAWL
Exploit MondayMatt Graeber’s blog — much of the foundational research lives hereexploit-monday.com
Quick deploy + test machine setupRestrictive + scan policy gists for fast lab bring-upJimmy Bayn — restrictive / scan
WDAC in 20H2 + a simple secure policyPolicy-design evolution and a minimal Windows-only baselineMatt Graeber — Medium
Harden Windows Security — WDAC NotesPractitioner notes on policy hardeningHotCakeX — wiki
Chad Duffey — WDAC NotesOperational notes from the fieldchadduffey.com

10. Using This Material Responsibly#

Every link above points to published, defensive-minded security research. The value of a catalogue like this is twofold: for red teamers it shortens the path from “I have admin” to “I have execution under application control,” and for defenders it is the exact checklist of what a deny policy must account for. If you are on the blue side, the companion DeviceGuardBypassMitigationRules policy is the fastest way to turn this catalogue into enforcement.

Two operating principles:

  1. Application control is one layer. A block list cannot, by construction, anticipate signed binaries whose legitimate function is to run code. Pair it with behavioural detection, least privilege, and network segmentation.
  2. Validate before you enforce. Promote a policy from audit to enforced only once your 8007 (code-integrity) event log is quiet against your real workload. A policy that breaks the business is a policy that gets turned off.

11. Source Repository#

This catalogue is a readable re-presentation of public research. The maintained, canonical resource — the one to watch for new entries — is:

See also the companion orientation on this blog: A Field Guide to WDAC Bypass Techniques, and the WinDbg-Preview deep-dive: Bypassing WDAC with WinDbg Preview.

WDAC Bypass Techniques — The Complete Reference Catalog
https://mranv.pages.dev/posts/wdac-bypass-techniques-reference-catalog/
Author
Anubhav Gain
Published at
2026-07-13
License
CC BY-NC-SA 4.0