1. Windows Defender Application Control (WDAC) & AppLocker

Think of this as the bouncer at the club. If the code isn’t on the guest list, it’s not getting in.

Pro Tip: AppLocker is still around, but it’s the legacy option. Use it only if you’re dealing with older systems that can’t handle WDAC. If you’re setting up new execution policies, go with WDAC.

• Stops untrusted mobile code (scripts, executables, DLLs, etc) before they run, preventing drive-by downloads, unauthorized scripts, and other sneaky attack methods. WDAC can preemptively shut down entire categories of untrusted code execution.

• It requires signed code, allowing only code from trusted publishers, signed scripts, or pre-approved hashes. If a file isn’t digitally signed by a trusted authority, it won’t run, period. This is critical for stopping unsigned PowerShell scripts, malicious DLL sideloading, and unknown executables from executing.

• You can create your own rules to block specific file types, paths, or even folders commonly used for malicious code execution. Attackers love dropping scripts in temp directories, why not just kill the ability for scripts to execute from there altogether?

2. Microsoft Defender Antivirus (MDAV)

It doesn’t just scan for known malware, it’s also looking out for suspicious behavior.

I’ve always wondered where the hackers in photos actually are and why is it so dark?…and why do they need 10 monitors? Is it cold enough to need a hood on? I have questions.

• Uses machine learning and heuristics (Behavioral Analysis) to detect mobile code acting shady, even if it’s not yet classified as malware. This means it can recognize the way a script behaves rather than relying on pre-existing virus definitions. That’s how it catches brand-new threats before they hit mass distribution.

• Scans files, scripts, and downloads on the fly to prevent execution of malicious mobile code. The second something suspicious lands on an endpoint, Defender is already evaluating whether it should be allowed to run.

• Looks at script execution in real time, meaning if JavaScript, PowerShell, or VBScript is doing something weird, Defender will shut it down mid-operation. This is critical in stopping living-off-the-land attacks (LOLBins). LOLBins are legitimate Windows binaries or scripts that are either signed by Microsoft or deeply integrated into the OS.

Attackers abuse these tools because:

• They bypass traditional antivirus detection

• They blend in with normal system activity, making it difficult to distinguish malicious from legitimate use.

• They reduce the need for external malware, allowing adversaries to operate without dropping detectable payloads.

3. Microsoft Defender for Endpoint (MDE)

MDE detects, analyzes, and responds.

Pro Tip: ASR rules aren’t enabled by default. You need to configure them in Microsoft Endpoint Manager or via Group Policy. Don’t make the mistake of assuming you’re protected just because Defender is installed, you have to harden it!

• Endpoint Detection & Response (EDR): MDE continuously monitors your environment, looking for signs of malicious code execution. It doesn’t just rely on known signatures, it identifies threats based on behavior, attack patterns, and anomaly detection.

• Attack Surface Reduction Rules: This is where you bring down the hammer.

Key ASR rules include:

• Blocking JavaScript and VBScript from launching downloaded executables. Many drive-by attacks start with a simple script execution, this rule kills that vector.

• Preventing Office macros from fetching and running malicious code. Attackers still love embedding malicious macros in documents—don’t give them the chance.

• Shutting down scripts executed from email clients and browsers. If it didn’t come from a trusted internal source, why let it run at all?

• Enforces policy and ensures security configurations are pushed across the entire organization. A well-configured MDE setup means every endpoint is covered, no weak links.

4. Network Protection (Defender SmartScreen + Firewall)

Stop mobile code before it gets through the door.

Defender SmartScreen blocks access to known malicious domains, preventing drive-by downloads, watering-hole attacks, and command-and-control callbacks before they begin.

• Firewall Rules can be set up to cut off network access for unauthorized code execution attempts.

Want to stop PowerShell scripts from calling out to the internet? Block outbound access for PowerShell altogether.

• Even if a user accidentally downloads a malicious script, network protection can block it before it executes by stopping connections to malicious IPs and domains.

5. Microsoft Endpoint Manager (Intune)

If it’s not managed by you, it’s not trusted.

• Conditional Access Policies Prevent unmanaged or unauthorized mobile apps from executing code. If a device doesn’t meet compliance requirements, it doesn’t get access to sensitive data or critical systems.

• Restrict mobile code execution in specific apps or environments. This is particularly useful in preventing shadow IT and unsanctioned software from running mobile code.

6. Microsoft Defender for Office 365

It’s Not News: Your inbox is a battlefield.

• Defender for O365 scans embedded code and quarantines anything malicious before it even hits the inbox.

• Prevents execution of JavaScript, macros, and ActiveX controls from phishing emails and weaponized documents.

• Uses AI-powered detection to spot phishing attempts before users even get the chance to click something they shouldn’t.

Lock It Down!

Microsoft Defender actively hunts, blocks, and stops mobile code from running across your environment. But here’s the catch: You need to configure ASR rules, enforce execution controls, and integrate Defender across endpoints, email, and the network to stay ahead of attackers. If you set it up right, mobile code won’t stand a chance.