WDAC Exploited in Sophisticated Cyber Attacks on EDR Tools

In a sophisticated wave of cyber attacks, hackers are exploiting Windows Defender Application Control (WDAC) policies to disable Endpoint Detection and Response (EDR) agents, posing a serious threat to corporate security systems. The method involves tampering with WDAC policies to block EDR executables, drivers, and services, creating blind spots that undermine defenses.

Evolution of the Technique

The attack technique first emerged with the release of a .NET-based proof-of-concept tool known as "Krueger" in December 2024. It has since evolved into a more potent threat with real malware variants like "DreamDemon," which is built using C++. Security researcher Jonathan Beierle identified several malware families that are adept at deploying these malicious WDAC policies.

Analysis reveals that the attackers specifically target prominent EDR vendors, including CrowdStrike Falcon, SentinelOne, Symantec Endpoint Protection, and Tanium. They manipulate policy rules referencing paths such as %OSDRIVE%\Program Files\CrowdStrike\* and %SYSTEM32%\drivers\CrowdStrike\*, effectively neutralizing the security measures of these agents before their initialization during system boot.

Malware Deployment Strategies

DreamDemon, a cutting-edge malware variant, incorporates WDAC policies directly as resources. This malware utilizes local SMB share references like \\localhost\C$ to deploy its policies, subsequently hiding and modifying timestamps of the policy files to avoid detection. The attackers also create decoy logs to obscure their activities and execute gpupdate /force to load the malicious policies via Group Policy updates.

The typical attack workflow includes loading embedded policy resources using functions like FindResourceW and LoadResource, followed by strategic placement of the policy files in the CodeIntegrity directory. These policy files employ a blacklist strategy, selectively allowing normal operations while blocking essential security processes based on Microsoft's AllowAll.xml template.

Advanced Techniques and Detection Challenges

Interestingly, the attackers leverage the latest Windows features, utilizing multiple wildcards in file path rules, especially on newer Windows Server versions. Despite ongoing efforts to bolster defenses, nine months after the initial disclosure, businesses are still grappling with insufficient protections against this multifaceted attack.

Effective detection strategies against this exploit include monitoring specific registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard, analyzing policy signature mismatches, and deploying YARA rules for identifying embedded policy signatures and particular API call sequences. Without significant advancements, organizations remain vulnerable to these tailored and evasive cyber threats.

Update: 01 Sep 2025