New Sophisticated Attack Weaponizes Windows Defender to Bypass EDR

Credited by Freepik

VTA-004502 – New Sophisticated Attack Weaponizes Windows Defender to Bypass EDR

A new attack exploits Windows Defender Application Control (WDAC) to disable Endpoint Detection and Response (EDR) sensors, leaving systems vulnerable. WDAC, designed to control which executable code runs on a Windows device, is weaponized by attackers who create custom policies to block EDR sensors from loading at system startup. The malicious policy is placed in the C:\Windows\System32\CodeIntegrity\ directory, and once the system reboots, the policy takes effect, disabling EDR and allowing attackers to operate undetected.

This attack can target individual machines or entire networks, with attackers leveraging domain admin privileges to distribute malicious WDAC policies across an organization. A proof-of-concept tool called “Krueger,” developed by security researcher Logan Goins, facilitates this attack by running in memory and aiding post-exploitation activities. Krueger can bypass security defenses by manipulating WDAC policies without needing to directly execute malicious files, making detection challenging.

To mitigate this threat, organizations should enforce WDAC policies through Group Policy Objects (GPOs) to prevent unauthorized changes, apply the principle of least privilege to restrict access to critical directories, and secure administrative accounts using tools like Microsoft’s LAPS. Regular audits of WDAC policies and strong endpoint security are key to defending against this attack.

Severity:
Medium

Attack Surface:
Endpoint, Endpoint OS, Server OS

Tactics:
Defense Evasion, Lateral Movement, Privilege Escalation

Techniques:
T1562: Application Control
T1114: Policy Manipulation
T1068: Privilege Escalation 

Indicator of Compromise:
1. Hash-Based IOC: f34d5f2d4577ed6d9ceec516c1f5a744
2. File and Directory IOC: \\C$\\Windows\\System32\\CodeIntegrity\\SiPolicy.p7b

References:
1. https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/

SuperPRO’s Threat Countermeasures Procedures: 
1. Use Group Policy Objects (GPOs) to deploy and enforce WDAC policies, preventing local overrides by malicious actors.
2. Restrict permissions to sensitive directories, including C:\Windows\System32\CodeIntegrity, and enforce the principle of least privilege for administrative accounts.
3. Use tools like Microsoft’s Local Administrator Password Solution (LAPS) to manage and secure local administrator accounts.
4. Regularly audit WDAC policies and access logs for unauthorized modifications or suspicious activities.

Contributed by: Anas