Disable or Modify Tools × Microsoft Windows Defender Application Control (WDAC)

A publicly-reported instance of Disable or Modify Tools bypassing Microsoft Windows Defender Application Control (WDAC), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender Application Control (WDAC)

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Critical

Status

unknown

Disclosed

2025-04-08

Config / version noted

Not stated

Provenance

www.sentinelone.com
disclosed 2025-04-08 · original source · via raw

Reported as

CVE-2025-26678 is an improper access control vulnerability in Windows Defender Application Control (WDAC) ... allows a local attacker to bypass WDAC application whitelisting policies

Mechanism

The vulnerability stems from improper access control (CWE-284) in WDAC policy enforcement. A local attacker can exploit the flaw to execute applications that should be blocked by WDAC, bypassing the application control mechanism entirely. No privileges or user interaction are required.

Detection & mitigation

Monitor Windows Code Integrity operational logs (Event ID 3076/3077) for unexpected policy violations or blocked execution attempts. Investigate anomalous process creation events from normally restricted executables, especially from temporary or user-writable directories. Ensure WDAC policies are properly configured and audit mode is used to detect bypass attempts before enforcement.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point CrowdStrike EasyAntiCheat Forcepoint Kaspersky Malwarebytes multiple commercial EDR/AV vendors Palo Alto Palo Alto Networks Riot Games

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.