A sophisticated cyberattack technique has emerged that exploits Windows Defender Application Control (WDAC) to disable Endpoint Detection and Response (EDR) sensors on Windows systems. WDAC, introduced with Windows 10 and Windows Server 2016, allows organizations to control executable code on their devices. However, attackers with administrative privileges can misuse this feature to deploy custom WDAC policies that block EDR sensors from loading during system boot, effectively neutralizing these security measures.
Attack Methodology:
Policy Deployment:Â Attackers create a custom WDAC policy that permits their malicious tools to execute while obstructing security solutions. This policy is placed in the C:\Windows\System32\CodeIntegrity\Â directory on the target machine.
System Reboot:Â The attacker restarts the system to apply the new policy, as WDAC policies become active only after a reboot.
EDR Disabling:Â Upon reboot, the malicious policy takes effect, preventing the EDR sensor from starting and leaving the system vulnerable to further compromise.
This technique can be applied to individual machines or, in more severe cases, across entire domains if an attacker gains domain admin privileges. A proof-of-concept tool named "Krueger," developed by security researcher Logan Goins, has been identified as facilitating this attack vector.
Mitigation Strategies:
Enforce WDAC Policies via Group Policy:Â Deploy centralized WDAC policies that override local changes, ensuring malicious policies cannot take effect.
Apply Principle of Least Privilege:Â Restrict permissions to modify WDAC policies, access SMB shares, or write to sensitive folders.
Implement Secure Administrative Practices:Â Disable or secure local administrator accounts using tools like Microsoft's Local Administrator Password Solution (LAPS).
Organizations are advised to review their security postures, implement strong access controls, and regularly audit WDAC policies to defend against this emerging threat. Maintaining a multi-layered approach to cybersecurity and staying vigilant against evolving attack techniques are essential for effective protection.
Comments