redttps

WDAC to kill EDRs

Description

The WDAC (Windows Defender Application Control) technique to kill EDR (Endpoint Detection and Response) involves abusing Microsoft’s application control policies to bypass or disable security software. Attackers can exploit misconfigurations or weaknesses in WDAC policies to run unsigned or malicious code that disables or interferes with EDR processes


How it works

  1. On your computer, download the App Control Policy Wizard application from Microsoft: https://webapp-wdac-wizard.azurewebsites.net/
  2. Open the tool and follow the steps below: Policy Creator > Singel Policy Format > Default Windows Mode > Enable Disable Runtime Filepath Rules > Disable Audit Mode
  3. Now go to Add Custom and create a custom policy. You will see several options such as creating an exclusion, locking a file by hash, it depends on your needs
  4. When you are done save the policy, download SiPolicy.p7b file in the target pc and place in C:\Windows\System32\CodeIntegrity (Admin privileges needed) reboot and the policy will be applied