WDAC Exploited in Sophisticated Cyber Attacks on EDR Tools

01 Sep 2025

In a sophisticated wave of cyber attacks, hackers are exploiting Windows Defender Application Control (WDAC) policies to disable Endpoint Detection and Response (EDR) agents, posing a serious threat to corporate security systems. The method involves tampering with WDAC policies to block EDR executables, drivers, and services, creating blind spots that undermine defenses.

Evolution of the Technique

The attack technique first emerged with the release of a .NET-based proof-of-concept tool known as "Krueger" in December 2024. It has since evolved into a more potent threat with real malware variants like "DreamDemon," which is built using C++. Security researcher Jonathan Beierle identified several malware families that are adept at deploying these malicious WDAC policies.

Analysis reveals that the attackers specifically target prominent EDR vendors, including CrowdStrike Falcon, SentinelOne, Symantec Endpoint Protection, and Tanium. They manipulate policy rules referencing paths such as %OSDRIVE%\Program Files\CrowdStrike\* and %SYSTEM32%\drivers\CrowdStrike\*, effectively neutralizing the security measures of these agents before their initialization during system boot.

Malware Deployment Strategies

DreamDemon, a cutting-edge malware variant, incorporates WDAC policies directly as resources. This malware utilizes local SMB share references like \\localhost\C$ to deploy its policies, subsequently hiding and modifying timestamps of the policy files to avoid detection. The attackers also create decoy logs to obscure their activities and execute gpupdate /force to load the malicious policies via Group Policy updates.

The typical attack workflow includes loading embedded policy resources using functions like FindResourceW and LoadResource, followed by strategic placement of the policy files in the CodeIntegrity directory. These policy files employ a blacklist strategy, selectively allowing normal operations while blocking essential security processes based on Microsoft's AllowAll.xml template.

Advanced Techniques and Detection Challenges

Interestingly, the attackers leverage the latest Windows features, utilizing multiple wildcards in file path rules, especially on newer Windows Server versions. Despite ongoing efforts to bolster defenses, nine months after the initial disclosure, businesses are still grappling with insufficient protections against this multifaceted attack.

Effective detection strategies against this exploit include monitoring specific registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard, analyzing policy signature mismatches, and deploying YARA rules for identifying embedded policy signatures and particular API call sequences. Without significant advancements, organizations remain vulnerable to these tailored and evasive cyber threats.

Update: 01 Sep 2025

Top charts for Desktop Windows

uTorrent

uTorrent

Latest update uTorrent download for free for Windows PC or Android mobile

5
1032 reviews
6428193
downloads
Zona

Zona

Latest update Zona download for free for Windows PC or Android mobile

4
614 reviews
1289152
downloads
WinRAR

WinRAR

Latest update WinRAR download for free for Windows PC or Android mobile

5
735 reviews
497438
downloads
Minecraft

Minecraft

Latest update Minecraft download for free for Windows PC or Android mobile

5
750 reviews
454349
downloads

News and reviews for Desktop Windows

Windows 11 26H1 Test Build Released to Insiders

Windows 11 26H1 Test Build Released to Insiders

Microsoft unveils Windows 11 26H1 test build in the Canary channel, focusing on ARM systems with Qualcomm and Nvidia chips.

Read more
HellLetLoose Offers Discount on 50v50 WWII Shooter

HellLetLoose Offers Discount on 50v50 WWII Shooter

HellLetLoose is discounted on Steam. The strategic WWII shooter features 50v50 battles, preparing for its Vietnam sequel arriving next year.

Read more
Boeing to Implement Microsoft Flight Simulator for Pilot Training

Boeing to Implement Microsoft Flight Simulator for Pilot Training

Boeing adopts Microsoft Flight Simulator tech for new pilot training in Portugal. Expected to enhance learning and confidence.

Read more
Nilesoft Shell Enhances Windows 11 Context Menu

Nilesoft Shell Enhances Windows 11 Context Menu

Nilesoft Shell lets users customize Windows 11 context menus, improving functionality and ease of access.

Read more
Bonaparte: Tactical Mech Combat and Strategy Launched

Bonaparte: Tactical Mech Combat and Strategy Launched

Bonaparte: A Mechanized Revolution is now available on Steam, launching with a 17% discount until 2023-11-23.

Read more
Battlestar Galactica Deadlock Pulled From All Storefronts

Battlestar Galactica Deadlock Pulled From All Storefronts

Slitherine will delist Battlestar Galactica Deadlock on November 15. Players can still play if purchased before then. License expiry likely cause.

Read more
Syberia Remastered Faces Mixed Reviews Post-Launch

Syberia Remastered Faces Mixed Reviews Post-Launch

Syberia Remastered, launched 2025-11-06, gets mixed Steam reviews due to unchanged cutscenes. Fans debate value amid criticism.

Read more
Replays in 2025 Bring Mass Effect's Normandy to NMS

Replays in 2025 Bring Mass Effect's Normandy to NMS

Hello Games reruns 2025 NMS expeditions, adding Normandy SR-1 to spaceship collections.

Read more
Reentry Hits Steam with Space Simulation Challenge

Reentry Hits Steam with Space Simulation Challenge

Lyra Creative releases Reentry 1.0, a NASA-inspired space sim, testing players' skills with a meticulous simulation environment.

Read more
Elden Ring Reforged 2.0 Adds Multiplayer, New Content

Elden Ring Reforged 2.0 Adds Multiplayer, New Content

Elden Ring Reforged 2.0 update introduces multiplayer and a new dungeon, enhancing gameplay for fans.

Read more
All article