Hackers Leverage Windows Defender Application Control Policies to Disable EDR Agents

Cybercriminals are exploiting Windows Defender Application Control (WDAC) policies to systematically disable Endpoint Detection and Response (EDR) agents, creating a dangerous blind spot in corporate security infrastructure.

Real-world threat actors, including ransomware groups like Black Basta, have now adopted a sophisticated attack technique originally developed as a proof-of-concept. 

Sponsored

 class="wp-block-preformatted">Key Takeaways
1. Attackers weaponize WDAC to block EDR at startup.
2. Proof-of-concept “Krueger” has morphed into real malware like “DreamDemon”.
3. Nine months in, defenses remain insufficient, leaving EDR systems exposed.

Jonathan Beierle has identified multiple malware families leveraging WDAC policies to neutralize EDR systems, effectively turning Microsoft’s own security feature against itself.

The technique involves deploying malicious WDAC policies that create application control rules blocking EDR executables, drivers, and services from running. 

By manipulating the C:WindowsSystem32CodeIntegritySiPolicy.p7b file path, attackers can implement these policies before EDR agents initialize during system boot.

Threat Actors Weaponize WDAC Policies

Jonathan Beierle stated that the weaponization of WDAC began with the release of “Krueger,” a .NET-based proof-of-concept tool that demonstrated how WDAC could disable EDR systems. 

Since its December 2024 release, cybersecurity researchers have observed significant adoption by threat actors, with multiple samples appearing in malware repositories throughout 2025.

Analysis of captured samples reveals sophisticated targeting of major EDR vendors, including CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Symantec Endpoint Protection, and Tanium. 

The malicious WDAC policies contain specific file path rules such as %OSDRIVE%Program FilesCrowdStrike* and driver blocking rules targeting %SYSTEM32%driversCrowdStrike*.

A new malware family dubbed “DreamDemon” has emerged, representing an evolution of the technique. Unlike the original Krueger tool written in .NET, DreamDemon samples are compiled from C++ code and demonstrate enhanced stealth capabilities. 

These samples embed WDAC policies as resources, deploy them using local SMB share references like \localhostC$, and implement file hiding and timestomping techniques to avoid detection.

The attack workflow follows a consistent four-step process: loading the embedded policy from executable resources using Windows API functions FindResourceW, LoadResource, and LockResource; placing the policy in the critical CodeIntegrity directory; hiding and timestomping the policy file; and creating decoy log files to mask activity.

WDAC policies

DreamDemon samples demonstrate particular sophistication by executing gpupdate /force commands after policy deployment, suggesting integration with Group Policy Objects (GPOs) for persistent policy application. 

This technique leverages the Computer Configuration > Administrative Templates > System > Device Guard > Deploy Windows Defender Application Control setting to load policies from arbitrary locations.

The malicious policies utilize improved “blacklist” approaches based on Microsoft’s AllowAll.xml template, allowing normal system operation while selectively blocking security products. 

Advanced samples target Windows 11 and Server 2025 systems by using multiple wildcard characters in file path rules, a capability unavailable in earlier Windows versions.

Detection mechanisms include monitoring registry keys HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsDeviceGuard for ConfigCIPolicyFilePath and DeployConfigCIPolicy values, analyzing file signature mismatches where WDAC policies masquerade as other file types, and implementing YARA rules targeting embedded policy signatures and specific API call patterns.

The cybersecurity industry faces a critical challenge as this technique remains largely effective nine months after initial disclosure, with limited preventative capabilities deployed by EDR vendors despite widespread awareness of the threat vector.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Hackers Leverage Windows Defender Application Control Policies to Disable EDR Agents appeared first on Cyber Security News.