A sophisticated attack technique that weaponizes Windows Defender Application Control (WDAC) to disable Endpoint Detection and Response (EDR) sensors on Windows machines.
WDAC, a technology introduced with Windows 10 and Windows Server 2016, was designed to give organizations fine-grained control over executable code on their Windows devices.
However, security experts have discovered that malicious actors can exploit this feature to their advantage, potentially leaving entire networks vulnerable to attack.
The technique, which falls under the MITRE ATT&CK framework’s “Impair Defenses” category (T1562), allows attackers with administrative privileges to craft and deploy specially designed WDAC policies.
These policies can effectively block EDR sensors from loading during system boot, rendering them inoperative and allowing adversaries to operate without the constraints of these critical security solutions.
The attack can be executed in various ways, from targeting individual machines to compromising entire domains. In the most severe scenarios, an attacker with domain admin privileges could distribute malicious WDAC policies throughout an organization, systematically disabling EDR sensors on all endpoints.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
How the Attack Works
The attack involves three primary phases:
- Policy Placement: The attacker creates a custom WDAC policy allowing their own tools to execute while blocking security solutions. This policy is then placed in the
C:WindowsSystem32CodeIntegrity
directory on the target machine. - Reboot Requirement: Since WDAC policies apply only after a reboot, the attacker restarts the endpoint to enforce the new policy.
- Disabling EDR: Upon reboot, the malicious policy takes effect, preventing the EDR sensor from starting and leaving the system vulnerable to further compromise.
A proof-of-concept tool named “Krueger” has already emerged, designed specifically for this attack vector. Created by security researcher Logan Goins, Krueger can be run in memory as part of post-exploitation activities, making it a potent weapon in an attacker’s arsenal.
While detection of this attack is challenging due to its use of legitimate Windows features, experts recommend several mitigation strategies.
These include enforcing WDAC policies through group policy, restricting permissions to code integrity folders and SMB shares, and adhering to the principle of least privilege in network administration.
Mitigation Strategies
Organizations can reduce their exposure to this threat by:
- Enforcing WDAC Policies via GPOs: Deploy central WDAC policies that override local changes, ensuring malicious policies cannot take effect.
- Applying Principle of Least Privilege: Restrict permissions to modify WDAC policies, access SMB shares, or write to sensitive folders.
- Implementing Secure Administrative Practices: Disable or secure local administrator accounts using tools like Microsoft’s Local Administrator Password Solution (LAPS).
“Organizations need to be aware of this threat and take proactive measures,” warned Mark Johnson, CISO of a Fortune 500 company. “Implementing strong access controls and regularly auditing WDAC policies are now more crucial than ever.”
As security tools become more sophisticated, so too do the methods to subvert them. It underscores the need for a multi-layered approach to cybersecurity and constant vigilance in the face of emerging attack techniques.
As the cybersecurity community grapples with this new threat, organizations are urged to review their security postures and ensure they have appropriate safeguards in place.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free