Cybercriminals are now weaponizing Windows Defender Application Control (WDAC) policies to disable Endpoint Detection and Response (EDR) agents en masse.
What began as a proof-of-concept research release in December 2024 has quickly evolved into an active threat, with multiple malware families adopting WDAC policy abuse to evade detection and block security tools entirely.
The original proof-of-concept, dubbed “Krueger,” demonstrated how an attacker could embed a custom WDAC policy that selectively blocked executable files and drivers belonging to major EDR vendors—including CrowdStrike, SentinelOne, Symantec, Tanium, Microsoft Defender for Endpoint, and Velociraptor.
By dropping the policy into the CodeIntegrity folder and triggering a group policy update, Krueger effectively prevented EDR services and drivers from loading on the target system.
Shortly after the disclosure, threat actors began deploying Krueger in the wild. A YARA rule established by the original researcher identified several new Krueger samples between January and August 2025, including SHA-256 hashes 90937b3a64cc834088a0628fda9ce5bd2855bedfc76b7a63f698784c41da4677 and a795b79f1d821b8ea7b21c7fb95d140512aaef5a186da49b9c68d8a3ed545a89.
Analysis of these samples revealed a common set of block rules targeting EDR file paths and driver names, as well as descriptors tied to Microsoft Defender’s core services.
Building on this momentum, a new malware family known as “DreamDemon” has emerged, signaling a second wave of WDAC exploitation.
Unlike Krueger’s .NET implementation, DreamDemon is written in C++ and embeds a WDAC policy directly in its resources.
Upon execution, it writes the policy to C:WindowsSystem32CodeIntegritySiPolicy.p7b, hides and timestomps the file, and even triggers a gpupdate command—though this only applies if the system’s group policy is preconfigured to reference the malicious policy location.
DreamDemon samples drop logs in either the current working directory (app.log) or in C:WindowsTempapp_log.log, possibly containing encrypted or obfuscated metadata.
The malicious policies used by both Krueger and DreamDemon illustrate deficiencies in EDR prevention capabilities.
File path rules cannot fully block kernel-mode code, and signature-based blocks—observed in a Beazley Security incident—complicate triage by hiding familiar identifiers.
As of September 2025, industry detection remains reactive: Elastic and CrowdStrike have released detection rules, and Microsoft Defender for Endpoint can prevent policy abuse, but no vendor offers a comprehensive preventative control against WDAC-based shutdowns.
To counter this threat, security teams should monitor Windows DeviceGuard registry keys—ConfigCIPolicyFilePath and DeployConfigCIPolicy—for unexpected policy deployments.
Alerting on new or renamed files in C:WindowsSystem32CodeIntegrity can also catch dropped policies. Finally, validating file magic bytes against extensions (e.g., a .pdf masquerading as a WDAC binary) may reveal hidden policies.
As WDAC morphs from a defensive feature into an offensive weapon, organizations must adapt their prevention, detection, and response strategies to guard against this emerging class of policy-based attacks.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
