A sophisticated attack technique has emerged that leverages Windows Defender Application Control (WDAC) to disable Endpoint Detection and Response (EDR) sensors on Windows machines. WDAC, a feature introduced with Windows 10 and Windows Server 2016, was intended to provide organizations with precise control over executable code on their devices. However, security experts have identified a troubling trend where malicious actors exploit this capability, potentially exposing entire networks to significant vulnerabilities.
This technique aligns with the MITRE ATT&CK framework’s “Impair Defenses” category (T1562), enabling attackers with administrative privileges to design and deploy tailored WDAC policies. These policies can effectively prevent EDR sensors from loading during system boot, rendering them non-operational and allowing adversaries to operate without the constraints imposed by these essential security measures.
The attack can manifest in various forms, ranging from targeting individual machines to compromising entire domains. In the most critical scenarios, an attacker with domain admin privileges could disseminate malicious WDAC policies across an organization, systematically disabling EDR sensors on all endpoints.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
How the Attack Works
The attack unfolds in three primary phases:
- Policy Placement: The attacker crafts a custom WDAC policy that allows their tools to execute while blocking security solutions. This policy is then placed in the
C:WindowsSystem32CodeIntegritydirectory on the target machine. - Reboot Requirement: As WDAC policies take effect only after a reboot, the attacker restarts the endpoint to enforce the newly established policy.
- Disabling EDR: Upon reboot, the malicious policy activates, preventing the EDR sensor from initializing, thus leaving the system vulnerable to further exploitation.
A proof-of-concept tool named “Krueger” has surfaced, specifically designed for this attack vector. Developed by security researcher Logan Goins, Krueger can be executed in memory as part of post-exploitation activities, making it a formidable asset in an attacker’s toolkit.
Mitigation Strategies
Organizations can mitigate their exposure to this threat through several strategies:
- Enforcing WDAC Policies via GPOs: Implement central WDAC policies that override local modifications, ensuring that malicious policies cannot take hold.
- Applying Principle of Least Privilege: Limit permissions to modify WDAC policies, access SMB shares, or write to sensitive directories.
- Implementing Secure Administrative Practices: Disable or secure local administrator accounts using tools such as Microsoft’s Local Administrator Password Solution (LAPS).
“Organizations need to be aware of this threat and take proactive measures,” cautioned Mark Johnson, CISO of a Fortune 500 company. “Implementing strong access controls and regularly auditing WDAC policies are now more crucial than ever.”
As security tools evolve, so do the methods to undermine them, highlighting the necessity for a multi-layered approach to cybersecurity and ongoing vigilance against emerging attack techniques. The cybersecurity community is encouraged to reassess their security postures and ensure robust safeguards are in place.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
