WDAC policies Archives

Winsage

September 1, 2025

Hackers Leverage Windows Defender Application Control Policies to Disable EDR Agents

Cybercriminals are using Windows Defender Application Control (WDAC) policies to disable Endpoint Detection and Response (EDR) agents, creating vulnerabilities in corporate security. Ransomware groups like Black Basta have adopted this method, which evolved from a proof-of-concept tool called "Krueger" into real malware named "DreamDemon." Attackers manipulate the C:WindowsSystem32CodeIntegritySiPolicy.p7b file to implement malicious WDAC policies that block EDR executables during system startup. The technique involves a four-step process: loading the policy, placing it in the CodeIntegrity directory, hiding the policy file, and creating decoy log files. DreamDemon samples, written in C++, exhibit enhanced stealth and target major EDR vendors. Detection efforts focus on monitoring specific registry keys and analyzing file signatures. Despite awareness of this threat, EDR vendors have not implemented sufficient preventative measures, leaving systems exposed.

Winsage

September 1, 2025

Hackers Exploit Windows Defender Policies to Shut Down EDR Agents

Cybercriminals are exploiting Windows Defender Application Control (WDAC) policies to disable Endpoint Detection and Response (EDR) agents. This threat emerged from a proof-of-concept called "Krueger," which demonstrated how to block EDR services by integrating a custom WDAC policy. Following its release in December 2024, various malware families began using this technique, including a new malware called "DreamDemon," which embeds a WDAC policy within its resources and modifies system files to evade detection. Both Krueger and DreamDemon reveal significant weaknesses in EDR capabilities, as current prevention measures are largely reactive and insufficient against these types of attacks. As of September 2025, no vendor has provided a comprehensive solution to prevent WDAC-based shutdowns. Security teams are advised to monitor specific registry keys and file changes to detect potential policy abuses.

Tech Optimizer

April 16, 2025

Hackers find a way around built-in Windows protections

Windows Defender Application Control (WDAC) is a built-in security feature on Windows PCs that restricts the execution of unauthorized software by allowing only trusted applications. However, hackers have discovered multiple methods to bypass WDAC, exposing systems to malware and cyber threats. Techniques for bypassing WDAC include using Living-off-the-Land Binaries (LOLBins), DLL sideloading, and exploiting misconfigurations in WDAC policies. Attackers can execute unauthorized code without triggering alerts from traditional security solutions, enabling them to install ransomware or create backdoors. Microsoft operates a bug bounty program to address vulnerabilities in WDAC, but some bypass techniques remain unpatched for long periods. Users can mitigate risks by keeping Windows updated, being cautious with software downloads, and using strong antivirus software.

Winsage

March 18, 2025

Bypassing Windows Defender Application Control with Loki C2

Microsoft's Windows Defender Application Control (WDAC) has become a target for cybersecurity researchers, with bug bounty payouts for successful bypasses. IBM's X-Force team reported various outcomes from WDAC bypass submissions, including successful bypasses that lead to potential bounties, those added to the WDAC recommended block list, and submissions without recognition. Notable contributors like Jimmy Bayne and Casey Smith have made significant discoveries, while the LOLBAS Project has documented additional bypasses, including the Microsoft Teams application. The X-Force team successfully bypassed WDAC during Red Team Operations using techniques such as utilizing known LOLBINs, DLL side-loading, exploiting custom exclusion rules, and identifying new execution chains in trusted applications. Electron applications, which can execute JavaScript and interact with the operating system, present unique vulnerabilities, as demonstrated by a supply-chain attack on the MiMi chat application. In preparation for a Red Team operation, Bobby Cooke's team explored the legacy Microsoft Teams application, discovering vulnerabilities in signed Node modules that allowed them to execute shellcode without triggering WDAC restrictions. They developed a JavaScript-based C2 framework called Loki C2, designed to operate within WDAC policies and facilitate reconnaissance and payload deployment. A demonstration of Loki C2 showcased its ability to bypass strict WDAC policies by modifying resources of the legitimate Teams application, allowing undetected code execution. The ongoing development of techniques and tools by the X-Force team reflects the evolving cybersecurity landscape and the continuous adaptation required to counter emerging threats.