Husain Parvez
Published on: September 11, 2025
Attackers are abusing Windows Defender Application Control (WDAC) policies to shut down Endpoint Detection and Response (EDR) agents, leaving systems exposed to malware and ransomware.
The technique first appeared as a proof-of-concept tool called Krueger in December 2024. Researcher Jonathan Beierle explained that “when a policy is applied at boot the EDR sensor is no longer allowed to run and thus will not load.” Soon after its release, multiple malware families adopted the method, using WDAC rules to block security tools such as CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, and Symantec.
By placing a crafted policy file in C:\Windows\System32\CodeIntegrity\SiPolicy.p7b and triggering a group policy update, attackers can prevent EDR drivers and services from initializing during system startup. Beierle noted that “shortly after releasing the original research I set up a YARA rule that actively hunted for new Krueger samples,” which revealed consistent targeting of EDR file paths and drivers.
A newer strain dubbed DreamDemon represents the second wave of WDAC exploitation. Unlike Krueger’s .NET code, DreamDemon is written in C++ and embeds a WDAC policy directly within its resources. On execution, it writes the policy to the CodeIntegrity folder, hides the file, and can trigger gpupdate commands. Logs are dropped to app.log or C:\Windows\Temp\app_log.log, adding further stealth.
Industry detection has improved, with Elastic and CrowdStrike releasing new rules, while Microsoft Defender for Endpoint has introduced preventative controls. However, researchers warn that comprehensive defenses remain limited nine months after the initial disclosure.
Security teams are advised to monitor Windows DeviceGuard registry keys, including ConfigCIPolicyFilePath and DeployConfigCIPolicy, and to watch for unexpected files in the CodeIntegrity directory.
