Cybercriminals are increasingly turning to Windows Defender Application Control (WDAC) policies to disable Endpoint Detection and Response (EDR) agents, thereby creating significant vulnerabilities within corporate security frameworks. This alarming trend has been observed among real-world threat actors, including notorious ransomware groups such as Black Basta, who have adopted a sophisticated attack method initially conceived as a proof-of-concept.
Key Takeaways
1. Attackers weaponize WDAC to block EDR at startup.
2. Proof-of-concept “Krueger” has morphed into real malware like “DreamDemon”.
3. Nine months in, defenses remain insufficient, leaving EDR systems exposed.
Jonathan Beierle has uncovered multiple malware families that exploit WDAC policies to effectively neutralize EDR systems, turning Microsoft’s own security feature against its intended purpose. This technique involves the deployment of malicious WDAC policies that create application control rules, which prevent EDR executables, drivers, and services from executing.
By manipulating the C:WindowsSystem32CodeIntegritySiPolicy.p7b file path, attackers can implement these policies before EDR agents have a chance to initialize during system boot.
Threat Actors Weaponize WDAC Policies
According to Beierle, the weaponization of WDAC began with the introduction of “Krueger,” a .NET-based proof-of-concept tool that illustrated how WDAC could effectively disable EDR systems. Since its release in December 2024, cybersecurity researchers have noted a marked increase in its adoption by threat actors, with numerous samples surfacing in malware repositories throughout 2025.
Analysis of these samples reveals a targeted approach aimed at major EDR vendors, including CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Symantec Endpoint Protection, and Tanium. The malicious WDAC policies incorporate specific file path rules, such as %OSDRIVE%Program FilesCrowdStrike and driver blocking rules targeting %SYSTEM32%driversCrowdStrike.
A new malware family, dubbed “DreamDemon,” has emerged, representing an evolution of the original technique. Unlike its predecessor, Krueger, which was written in .NET, DreamDemon samples are compiled from C++ code and exhibit enhanced stealth capabilities. These samples embed WDAC policies as resources, deploy them using local SMB share references like localhostC$, and employ file hiding and timestomping techniques to evade detection.
The attack workflow follows a consistent four-step process: loading the embedded policy from executable resources using Windows API functions FindResourceW, LoadResource, and LockResource; placing the policy in the critical CodeIntegrity directory; hiding and timestomping the policy file; and creating decoy log files to obscure activity.
DreamDemon samples showcase particular sophistication by executing gpupdate /force commands post-policy deployment, indicating integration with Group Policy Objects (GPOs) for persistent policy application. This technique leverages the Computer Configuration > Administrative Templates > System > Device Guard > Deploy Windows Defender Application Control setting to load policies from arbitrary locations.
The malicious policies utilize improved “blacklist” strategies based on Microsoft’s AllowAll.xml template, allowing normal system operations while selectively blocking security products. Advanced samples target Windows 11 and Server 2025 systems by employing multiple wildcard characters in file path rules, a capability not available in earlier Windows versions.
Detection mechanisms include monitoring registry keys HKEYLOCALMACHINESOFTWAREPoliciesMicrosoftWindowsDeviceGuard for ConfigCIPolicyFilePath and DeployConfigCIPolicy values, analyzing file signature mismatches where WDAC policies masquerade as other file types, and implementing YARA rules targeting embedded policy signatures and specific API call patterns.
The cybersecurity industry is grappling with a critical challenge, as this technique continues to prove effective nine months after its initial disclosure. Despite widespread awareness of this threat vector, limited preventative measures have been deployed by EDR vendors, leaving systems vulnerable to exploitation.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
