Cybercriminals are increasingly leveraging Windows Defender Application Control (WDAC) policies as a means to disable Endpoint Detection and Response (EDR) agents on a large scale. What initially began as a proof-of-concept research release in December 2024 has rapidly transformed into a pressing threat, with various malware families now exploiting WDAC policy abuse to evade detection and neutralize security tools entirely.
Emergence of the Threat
The original proof-of-concept, known as “Krueger,” showcased how an attacker could integrate a custom WDAC policy that selectively blocked executable files and drivers from prominent EDR vendors, including CrowdStrike, SentinelOne, Symantec, Tanium, Microsoft Defender for Endpoint, and Velociraptor. By placing the policy into the CodeIntegrity folder and executing a group policy update, Krueger effectively obstructed EDR services and drivers from loading on the targeted system.
Following the initial disclosure, malicious actors swiftly began deploying Krueger in real-world scenarios. A YARA rule established by the original researcher identified several new Krueger samples between January and August 2025, including notable SHA-256 hashes such as 90937b3a64cc834088a0628fda9ce5bd2855bedfc76b7a63f698784c41da4677 and a795b79f1d821b8ea7b21c7fb95d140512aaef5a186da49b9c68d8a3ed545a89.
Analysis of these samples revealed a consistent set of block rules targeting EDR file paths and driver names, along with descriptors associated with Microsoft Defender’s core services.
The Rise of DreamDemon
Building on the momentum established by Krueger, a new malware family dubbed “DreamDemon” has surfaced, indicating a second wave of WDAC exploitation. Unlike its predecessor’s .NET implementation, DreamDemon is crafted in C++ and embeds a WDAC policy directly within its resources.
Upon execution, DreamDemon writes the policy to C:WindowsSystem32CodeIntegritySiPolicy.p7b, conceals and timestamps the file, and even triggers a gpupdate command—provided the system’s group policy is preconfigured to reference the malicious policy location. The samples of DreamDemon also generate logs in either the current working directory (app.log) or in C:WindowsTempapp_log.log, which may contain encrypted or obfuscated metadata.
Deficiencies in EDR Capabilities
The malicious policies employed by both Krueger and DreamDemon highlight significant shortcomings in EDR prevention capabilities. File path rules alone cannot comprehensively block kernel-mode code, and signature-based blocks, as evidenced in a Beazley Security incident, complicate triage by obscuring familiar identifiers.
As of September 2025, industry detection efforts remain largely reactive. While Elastic and CrowdStrike have introduced detection rules, and Microsoft Defender for Endpoint has implemented measures to prevent policy abuse, no vendor currently offers a holistic preventative control against WDAC-based shutdowns.
Recommendations for Security Teams
In response to this emerging threat, security teams are encouraged to monitor Windows DeviceGuard registry keys—ConfigCIPolicyFilePath and DeployConfigCIPolicy—for any unexpected policy deployments. Alerting on new or renamed files within C:WindowsSystem32CodeIntegrity can also help identify dropped policies. Additionally, validating file magic bytes against extensions (for instance, a .pdf masquerading as a WDAC binary) may uncover hidden policies.
As WDAC transitions from a defensive feature to an offensive weapon, organizations must evolve their prevention, detection, and response strategies to effectively combat this new class of policy-based attacks.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
