A new tool named GhostLocker has been released, demonstrating a novel technique to neutralize Endpoint Detection and Response (EDR) systems by weaponizing the native Windows AppLocker feature.
Developed by security researcher zero2504, the tool highlights a fundamental architectural vulnerability in modern EDR solutions: their reliance on userland components for analysis and reporting.
Unlike traditional EDR bypasses that attempt to exploit kernel drivers or perform complex memory manipulation, GhostLocker leverages the inherent authority granted to system administrators. The tool utilizes AppLocker, Microsoft’s application whitelisting framework introduced in Windows 7, to enforce “Deny” rules against EDR executables.
The concept is straightforward but effective: administrators have the legitimate power to control software execution. GhostLocker automates this by deploying policies that explicitly block EDR processes from launching or restarting.
The tool offers two modes of operation: a dynamic version that enumerates running processes to generate precise rules, and a static version that uses wildcard paths (e.g., *MsMpEng.exe) to block targets without prior enumeration.
The research behind GhostLocker reveals that while AppLocker cannot terminate already running processes, a simple reboot after policy application renders the EDR ineffective.
Crucially, the tool does not block the EDR’s kernel drivers (*.sys). These drivers continue to load, register callbacks, and collect telemetry.
However, the research findings show that this telemetry becomes useless without the corresponding userland services. Modern EDRs rely on user-mode components to correlate events, perform behavioral analysis, and send alerts to the cloud. When these userland “brains” are blocked by AppLocker, the EDR is effectively blinded, even though its kernel “eyes” are still open.
During extensive testing against commercial EDR products, GhostLocker achieved complete neutralization. Despite the blocking, management consoles continued to report the agents as “online” and “protected,” as the heartbeat mechanisms were often decoupled from the analysis engines. Furthermore, previously detected injection attacks went unnoticed because the behavioral analysis engines could not execute.
The tool also demonstrates a distinct advantage over Windows Defender Application Control (WDAC) attacks. While WDAC operates at the kernel level to block drivers, AppLocker policies are strictly userland, making them easier to deploy for targeted blocking while maintaining the appearance of a functioning system.
The release emphasizes that this is not an exploit, but an abuse of legitimate features. To defend against this, organizations are advised to monitor for AppLocker policy changes via AppID.sys IOCTL signals and to ensure their security products utilize the Get-AppLockerFileInformation API to pre-validate their own execution status.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
