Cyber attackers are abusing Windows Defender Application Control (WDAC) policies to shut down Endpoint Detection and Response (EDR) agents, leaving organizations with serious visibility gaps in their defenses.
What started as a proof-of-concept has now evolved into a real-world threat adopted by advanced groups, including ransomware operators such as Black Basta.
Key Insights
- WDAC is being weaponized to block EDR from launching at system startup.
- The original proof-of-concept tool “Krueger” has inspired more advanced malware like “DreamDemon.”
- Nine months after disclosure, most defenses remain inadequate, exposing enterprises to major risks.
According to researcher Jonathan Beierle, multiple malware families are now using WDAC policies to block EDR processes, effectively turning Microsoft’s own protective mechanism into an attack vector.
How the Attack Works
The method relies on deploying malicious WDAC rules that prevent EDR executables, drivers, and services from loading. By manipulating the file path C:\Windows\System32\CodeIntegrity\SiPolicy.p7b, attackers can apply these policies before EDR tools initialize during system boot.
From Proof-of-Concept to Weaponized Malware
The exploitation trend began with Krueger, a .NET tool that proved WDAC could disable EDR. Released in December 2024, it quickly gained traction among cybercriminals. By 2025, analysts were already finding multiple WDAC-based malware samples across underground repositories.
Captured samples show deliberate targeting of leading EDR solutions, including:
- CrowdStrike Falcon
- SentinelOne
- Microsoft Defender for Endpoint
- Symantec Endpoint Protection
- Tanium
Attackers embed WDAC policies with rules such as:
%OSDRIVE%\Program Files\CrowdStrike\*%SYSTEM32%\drivers\CrowdStrike\*
Rise of DreamDemon Malware
A new family named DreamDemon takes the technique further. Unlike Krueger’s .NET build, DreamDemon is compiled in C++, offering more stealth.
Its tactics include:
- Embedding WDAC policies directly inside executables.
- Deploying them via SMB shares (for example,
\\localhost\C$). - Hiding files and altering timestamps.
- Creating fake log files to avoid suspicion.
<image import – WDAC Policies>
DreamDemon even issues gpupdate /force commands after policy drops, hinting at Group Policy Object (GPO) abuse for persistence. It leverages the Device Guard > Deploy WDAC setting to load policies from alternate paths.
Advanced variants build on Microsoft’s AllowAll.xml template, which allows most applications to run normally while quietly blocking security tools. Some samples specifically target Windows 11 and Server 2025, using wildcard rules unavailable in older versions.
Detection and Defense Gaps
Security teams can spot this activity by monitoring:
- Registry keys such as
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuardfor suspicious values. - WDAC policies disguised as other file types.
- API call patterns like
FindResourceW,LoadResource, andLockResource. - YARA rules against embedded WDAC signatures.
Despite awareness, the method remains highly effective, with many EDR vendors yet to roll out meaningful countermeasures. This makes WDAC weaponization a persistent and growing challenge for enterprise defenders.
Indicators of Compromise (IOCs)
| Type | Indicator | Description |
|---|---|---|
| File Path | C:\Windows\System32\CodeIntegrity\SiPolicy.p7b | Malicious WDAC policy placement path |
| File Path | %OSDRIVE%\Program Files\CrowdStrike\* | Targeted EDR executables and directories |
| File Path | %SYSTEM32%\drivers\CrowdStrike\* | Targeted EDR driver files |
| File Path | %OSDRIVE%\Program Files\SentinelOne\* | SentinelOne executables blocked |
| File Path | %OSDRIVE%\Program Files\Windows Defender\* | Microsoft Defender for Endpoint targeted |
| File Path | %OSDRIVE%\Program Files\Symantec\* | Symantec Endpoint Protection executables targeted |
| File Path | %OSDRIVE%\Program Files\Tanium\* | Tanium executables targeted |
| Command | gpupdate /force | Used after WDAC policy deployment for persistence |
| Network | \\localhost\C$ | SMB local share used for deploying WDAC policies |
| Registry Key | HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ConfigCIPolicyFilePath | Path to deployed WDAC policy |
| Registry Key | HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\DeployConfigCIPolicy | WDAC deployment configuration |
| Malware Families | Krueger (PoC, .NET) | Initial proof-of-concept tool |
| Malware Families | DreamDemon (C++) | Advanced malware using WDAC for EDR bypass |
Tactics, Techniques, and Procedures (TTPs)
| Tactic | Technique | Details |
|---|---|---|
| Initial Access | Valid accounts / policy abuse | Attacker gains local or domain access to deploy WDAC policy |
| Execution | Application Control Abuse (T1546.015 – Event Triggered Execution: Component Object Model Hijacking-like abuse) | WDAC policies used to prevent security tools from executing |
| Defense Evasion | Modify Registry (T1112) | Setting ConfigCIPolicyFilePath and DeployConfigCIPolicy values |
| Defense Evasion | Masquerading (T1036) | WDAC policies disguised as legitimate files |
| Defense Evasion | File and Directory Permissions Modification (T1222) | WDAC rules block EDR directories and drivers |
| Defense Evasion | Rootkit/Bootkit Techniques | Policies applied before EDR startup during system boot |
| Defense Evasion | Timestamping (T1099) | Timestomping policy files to hide activity |
| Persistence | Group Policy Modification (T1484.001) | Leveraging GPO Deploy Windows Defender Application Control |
| Persistence | Registry Run Keys / Policy Settings | Deploying WDAC policies via registry |
| Command and Control | SMB Named Pipes / Shares (T1071.002 – Application Layer Protocol: SMB/Windows Admin Shares) | \\localhost\C$ used for policy delivery |
| Impact | Inhibit System Recovery / Security Software Disabling (T1562.001) | Blocking major EDR vendors’ executables, services, and drivers |
