Hackers Leverage Windows Defender Application Control Policies to Disable EDR Agents

Cybersecurity

Recent analyses have revealed that threat actors are exploiting Windows Defender Application Control (WDAC) policies to disable Endpoint Detection and Response (EDR) agents, causing significant vulnerabilities in corporate security frameworks.

Technical Overview

Malware groups, including ransomware entities such as Black Basta, have adopted an advanced attack strategy that originated from a proof-of-concept method. This technique involves the use of malicious WDAC policies to obstruct EDR functionalities by blocking executables, drivers, and services at startup. This is primarily achieved by manipulating the C:\Windows\System32\CodeIntegrity\SiPolicy.p7b file path, allowing the deployment of these policies before EDR agents are initialized during system boot.

Key Developments

• Threat actors utilize WDAC policies to block EDR capabilities during system startup.
• Malware such as “DreamDemon” represents an evolution of the initial proof-of-concept, now utilizing C++ for enhanced stealth.
• Security defenses continue to be inadequate, leaving EDR systems vulnerable.

Malware Analysis

Researcher Jonathan Beierle has identified multiple malware families that exploit WDAC policies to neutralize EDR systems. The technique involves embedding WDAC policies within malware resources, which are then deployed with local SMB share references. The process includes file hiding and timestomping to evade detection. Furthermore, DreamDemon samples utilize Windows API functions to load policies into the critical CodeIntegrity directory.

Security Implications

Captured malware samples indicate targeted attacks on major EDR vendors such as CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Symantec Endpoint Protection, and Tanium. Malicious policies often include specific file path rules and driver blocking rules. The advanced samples even target Windows 11 and Server 2025 systems using multiple wildcard characters in file path rules, which are not supported by earlier Windows versions.

Detection and Mitigation

Detection strategies involve monitoring registry keys such as HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard for ConfigCIPolicyFilePath and DeployConfigCIPolicy values. Additionally, analyzing file signature mismatches and implementing YARA rules targeting embedded policy signatures and specific API call patterns are suggested.

Despite awareness of this threat vector, the cybersecurity industry faces significant challenges in deploying effective preventative measures, as this technique remains effective months after its initial disclosure.