A dangerous new technique is gaining traction in the wild: attackers are exploiting Windows Defender Application Control (WDAC) policies to disable Endpoint Detection and Response (EDR) systems before they even load.
What began as a proof-of-concept tool in late 2024—codenamed Krueger—has evolved into active malware campaigns that weaponize Windows’ own security features to create persistent, stealthy, and policy-enforced blind spots within enterprise environments.
The emergence of DreamDemon, a C++-based malware family capable of deploying forged WDAC policies, confirms this trend is no longer theoretical.
Key Takeaways for CISOs
- EDR Agents Blocked at Boot: WDAC policies are being used to prevent EDR services, drivers, and processes from initializing.
- Nine Months of Exposure: Despite public disclosure, most EDR vendors still lack effective mitigation.
- Targeted Products: CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, Tanium, and Symantec are all in scope.
Technical Overview: How the Attack Works
Threat actors deploy malicious WDAC policies that blacklist EDR binaries by path, file name, or driver location. These policies are injected before system startup and enforced by the Code Integrity subsystem.
Attack Chain:
- Embed WDAC policy in the malware binary.
-
Extract using Windows APIs:
FindResourceW,LoadResource,LockResource. -
Write to
C:\Windows\System32\CodeIntegrity\SiPolicy.p7b. - Timestomp and hide the file to evade detection.
-
Trigger policy application via
gpupdate /forceand leverage GPO for persistence. - Deploy decoy logs to avoid analyst suspicion.
The Krueger tool laid the groundwork; DreamDemon weaponizes it with C++ binaries, SMB-based deployment (\\localhost\C$), and GPO-aware behavior.
Advanced TTPs in the Wild
-
Policy Persistence via GPO: Integration into legitimate policy deployment frameworks using:
-
Computer Configuration > Administrative Templates > System > Device Guard
-
-
Wildcard Abuse: Multiple wildcards in file paths (e.g.,
%ProgramFiles%\*\EDRVendor\*) enable broad suppression of security agents. - Masquerading & Signature Mismatch: WDAC policies embedded in binaries disguised as benign file types.
- Decoy Tactics: DreamDemon creates believable log trails to distract forensic tools.
Detection & Response Guidance
Despite the sophistication of these attacks, defenders have options—if they act decisively.
Detection Recommendations
-
Monitor registry keys:
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
→ forConfigCIPolicyFilePath,DeployConfigCIPolicy -
Audit file writes to
CodeIntegrity\SiPolicy.p7b - Use YARA rules to detect embedded policy structures or API usage
-
Alert on
gpupdate /forceexecuted by non-admin users or unsigned binaries
Strategic Implications for CISOs
1. Zero Trust Must Include Policy Layers
Traditional EDR and XDR focus on runtime visibility—but policy-level abuse sits below that radar.
Action: Include WDAC policy monitoring in your endpoint telemetry stack.
2. Assume Host Tampering Is Viable
If your security architecture assumes that agents are present and running, that trust model is now broken.
Action: Validate agent startup success independently and build redundancy.
3. Push Vendors for Mitigation
The industry has had nine months. If your EDR vendor has not issued a position on WDAC abuse mitigation—escalate.
Action: Demand roadmap updates and protections against policy-layer attacks.
CISO Recommendations
| Priority | Recommendation | Description |
|---|---|---|
| 🔴 High | Review WDAC policy deployment paths | Ensure GPO configurations don’t allow external policies |
| 🟠 Medium | Harden Code Integrity folders | Monitor and restrict writes to CodeIntegrity\ path |
| 🟢 Low | Conduct red team simulation | Test your EDR resilience against pre-boot policy injection |
KQL Query to check changes
// Surface Code Integrity WDAC policy load/update signals if available
DeviceEvents| where ActionType in~ ("CodeIntegrityPolicyLoaded","CodeIntegrityPolicyUpdated","WdacPolicyApplied")
| project Timestamp, DeviceName, ActionType, AdditionalFields
| order by Timestamp desc
Conclusion
The weaponization of WDAC is a significant turning point: it signals that attackers are no longer just evading defenses—they’re reprogramming them.
The misuse of legitimate security features like WDAC is part of a broader trend in adversary innovation. CISOs must adapt threat models, detection pipelines, and vendor expectations to meet this challenge.
As always, assume breach—but now, verify policy.
Further Reading: