WDAC Policies Targeted to Disable EDR Security Measures

Cybercriminals have found a new avenue to disrupt cybersecurity defenses by exploiting WDAC policies. Initially demonstrated as a theoretical attack named "Krueger" in December 2024, it has now transitioned into active exploitation campaigns. The primary goal of these attacks is to disable Endpoint Detection and Response (EDR) agents, which are crucial for maintaining security measures in organizations.

The methodology involves embedding a custom WDAC policy that meticulously blocks specific executables and drivers of major EDR vendors. This is accomplished by placing the policy within the critical system directory C:\Windows\System32\CodeIntegrity and initiating a group policy update. This tactic prevents the EDR services from executing, leaving systems vulnerable.

Emerging Threat Families

Besides Krueger, a second threat family known as "DreamDemon", written in C++, employs similar disruption techniques but with added complexities. DreamDemon embeds a WDAC policy into its resources, writes it to the system directory, and potentially uses file hiding and timestamp alteration (timestomping) to evade detection. Moreover, it logs potential activity into files like app.log and C:\Windows\Temp\app_log.log, with the metadata often being obfuscated, making detection more challenging.

These advanced tactics expose the vulnerabilities inherent in current EDR preventive measures. Presently, file-path rules are unable to completely block kernel-mode code due to inherent limitations, and signature-based detection can sometimes fail when attackers bypass or disguise familiar identifiers.

Industry Response and Recommendations

The cybersecurity industry has acknowledged these events but largely remains in a reactive stance. Organizations like Elastic and CrowdStrike have released detection rules, yet comprehensive preventative measures are still evolving. Microsoft Defender for Endpoint offers some degree of mitigation against policy abuses, but it's evident that more robust strategies are essential.

To combat these developments, it's recommended that enterprises actively monitor DeviceGuard registry keys, such as ConfigCIPolicyFilePath and DeployConfigCIPolicy, for unauthorized deployments. Alert setups for new or altered files within the CodeIntegrity folder are crucial. Additionally, file magic bytes should be validated against file extensions to identify misrepresented WDAC binaries effectively.

As this situation unfolds, the cybersecurity community must focus on developing proactive defenses and evolving detection methodologies to stay ahead of these sophisticated threat vectors.

Update: 01 Sep 2025