Weaponizing WDAC: How Attackers Are Blinding EDR Systems
Executive Overview
A new endpoint security bypass technique is being actively exploited: attackers are weaponizing Windows Defender Application Control (WDAC) policies to disable Endpoint Detection and Response (EDR) agents at boot.
What began as a Krueger proof-of-concept (PoC) in December 2024 has evolved into the DreamDemon malware family, which attackers now use to deploy malicious WDAC policies that prevent EDRs from loading, effectively blinding defenders while maintaining persistence and full administrative control.
Majorly impacted vendors include CrowdStrike, Falcon , SentinelOne, and Symantec SEP, with Microsoft Defender for Endpoint partially resistant but not immune.
WDAC Technical Background
WDAC is a kernel-level enforcement mechanism used by Windows to validate code integrity policies. Its primary policy file, SiPolicy.p7b, and additional .cip policy files define what binaries, drivers, and scripts are allowed to execute.
WDAC is designed to enforce a “deny by default” model, allowing only signed or explicitly permitted software to run.
Attackers abuse this trust model by deploying malicious policies that block EDR driver and service initialization, leaving security tools disabled at boot.
Attack Methodology
Malicious Policy Creation: Threat actors edit Microsoft policy templates such as AllowAll.xml, inserting <Deny> rules that explicitly block EDR service executables and driver paths.
Policy Compilation: The modified XML is compiled into a .p7b or .cip binary format using PowerShell’s ConvertFrom-CIPolicy command.
Deployment: Attackers copy the malicious policy into C:\Windows\System32\CodeIntegrity\, where WDAC loads it during system startup.
Boot-Level Execution: On reboot, the WDAC engine enforces the new policy, blocking EDR agents before they initialize.
Lateral Movement: In enterprise attacks, this method is distributed using Group Policy Objects (GPOs), ensuring widespread policy enforcement across multiple hosts.
Persistence: Advanced strains like DreamDemon use timestomping, encrypted telemetry logs, and policy embedding for stealthy persistence.
Malware Evolution
Krueger PoC: A simple .NET-based post-exploitation tool requiring admin rights. Demonstrated feasibility but lacked stealth.
DreamDemon APT Variant: A highly weaponized C++ malware. It embeds policies directly, encrypts logs in C:\Windows\Temp\app_log.log, and features advanced persistence tactics. DreamDemon has been observed in underground markets and APT toolkits.
EDR Vendor Impact
CrowdStrike Falcon, SentinelOne, Symantec SEP: Easily bypassed through WDAC policy tampering.
Microsoft Defender for Endpoint: Partial resistance but can still be disabled at the service level.
WHQL-Signed Drivers: Remain challenging for attackers to block, though adversaries now target file attributes.
Microsoft Blocklist Sync Bug: Attackers have abused a driver blocklist sync issue to exploit EDR initialization weaknesses.
Indicators of Compromise
Suspicious Files:
Malicious .p7b or .cip files in C:\Windows\System32\CodeIntegrity\.
Logs such as app_log.log containing encrypted telemetry data.
Event Logs:
Event IDs 3076 and 3033 indicating WDAC policy changes or hash mismatches.
Registry Keys:
Modifications to HKLM\SYSTEM\CurrentControlSet\Control\CI\PolicyFiles.
Defensive Strategies
To mitigate WDAC-based EDR evasion, implement a layered defense strategy:
Centralize WDAC Management: Deploy an enterprise-wide baseline policy via GPO and lock it in audit mode to block unauthorized changes.
Limit Administrative Access: Enforce least privilege across systems and secure local admin accounts with Microsoft LAPS.
Monitor CodeIntegrity Folder: Use PowerShell or endpoint monitoring to detect unexpected file changes in C:\Windows\System32\CodeIntegrity\.
Enable HVCI: Use Hypervisor-Protected Code Integrity for an additional enforcement layer.
Multi-EDR Strategy: Deploy multiple security vendors to reduce single points of failure.
Out-of-Band Telemetry: Integrate IDS/IPS solutions to detect suspicious activity even when endpoints are blinded.
Vendor Engagement: Subscribe to SpecterOps and Beazley Labs threat feeds for up-to-date IOCs and detection rules.
Behavioral Analytics: Deploy UEBA tools to detect anomalies in admin activity and policy enforcement patterns.
Strategic Impact
WDAC abuse demonstrates that attackers are shifting their focus to policy-based trust anchors instead of just exploiting vulnerabilities. By manipulating the enforcement mechanism itself, they undermine Zero Trust strategies, evade detection, and gain full visibility control over endpoints. Expect this method to evolve into AI-generated policies and supply chain policy attacks in the near future.
References
Last updated
Was this helpful?