There's more where this came from
What is being abused here is some whitelisted executable. The default rules do whitelist several hundred executables below c:\windows. Now it might surprise many, that the default rules are not what Microsoft recommends to use. In fact, the https://www.microsoft.com/en-us/download/details.aspx?id=40330 applocker design guide even writes
--
To avoid scenarios like this, AppLocker allows the administrator to create a set of permissive
default rules that will allow the user to interact with the operating system without
restriction.[...]
While allowing an inexperienced administrator to safely interact with AppLocker, it does not
create a secure environment. The guidance provided in this document recommends that the
default rules not be used. By following the process in this document, an administrator can
safely create a highly tailored set of AppLocker policies without the need for the default
rules.
To reiterate, DO NOT ENABLE THE DEFAULT RULES
--
And to finally visualize how rotten the default rules are: they allow execution of executables from folders that users may write to. There are several folders below c:\windows where users might copy some virus and execute it. For example c:\windows\temp. To find all folders, use accesschk https://technet.microsoft.com/en-us/sysinternals/accesschk.aspx
and the command (elevated): accesschk.exe BUILTIN\Users c:\Windows\ -w -s
So to be honest: although this topic is a remarkable find, it will only apply to those who did not restrict things after the principle of least privilege or even use the default rules. And as I just showed there are even worse things configured if we choose to create the default rules.