Listen to this Post
Windows Defender Application Control (WDAC) is a powerful security feature that allows organizations to control which applications and code can run on their systems. When weaponized, WDAC can bypass or neutralize Endpoint Detection and Response (EDR) solutions, making it a critical tool for both red teams and attackers.
Read the full article here: Weaponizing WDAC: Killing the Dreams of EDR
You Should Know:
1. Understanding WDAC Policies
WDAC uses XML-based policies to define application whitelisting rules. To view current policies, use:
Get-CimInstance -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndPolicy_BaselineInfo
2. Creating a Custom WDAC Policy
Generate a base policy for auditing:
New-CIPolicy -FilePath "C:\Policy.xml" -Level FilePublisher -Fallback Hash -ScanPath "C:\Windows"
3. Enforcing WDAC in Audit Mode
Deploy a policy in audit mode first to avoid system disruptions:
ConvertFrom-CIPolicy -XmlFilePath "C:\Policy.xml" -BinaryFilePath "C:\Policy.bin"
Then deploy:
ciTool --update-policy "C:\Policy.bin"
4. Bypassing EDR with WDAC
Attackers can craft policies to exclude malicious processes from EDR scrutiny. Example:
<FileRules> <Allow ID="ID_ALLOW_MALICIOUS" FriendlyName="EvilApp.exe" FileName="EvilApp.exe" /> </FileRules>
5. Disabling WDAC for Post-Exploitation
If WDAC is blocking your tools, disable it temporarily (requires admin):
bcdedit /set {current} testsigning on
6. Linux Equivalent: AppArmor/SELinux Bypass
For Linux-based EDR evasion, consider manipulating AppArmor profiles:
sudo aa-disable /etc/apparmor.d/bin.ping
7. Verifying WDAC Enforcement
Check applied policies via:
Get-SystemDriver | Where-Object { $_.IsWDACEnforced -eq $true }
What Undercode Say:
WDAC is a double-edged sword—while it strengthens security, attackers can repurpose it to bypass EDR. Defenders must monitor policy changes, enforce code integrity logging (Microsoft-Windows-CodeIntegrity/Operational), and pair WDAC with behavioral analytics.
Red teams should experiment with custom policies in lab environments, while blue teams must audit WDAC configurations regularly. Combining WDAC with AMSI and constrained language mode can further harden endpoints.
Expected Output:
A system where WDAC policies are weaponized to either fortify defenses or dismantle EDR visibility, depending on who controls the rules.
Related Commands & Tools:
- Windows:
List all WDAC policies Get-CIPolicy -FilePath "C:\CurrentPolicies.xml"
- Linux (AppArmor):
List active profiles sudo aa-status
- EDR Evasion (Cross-Platform):
Check for hooked syscalls (Linux) stap -e 'probe kernel.function("sys_") { log($$parms) }'
Expected Output:
A hardened or compromised endpoint where WDAC dictates execution flow, rendering EDR ineffective if misconfigured.
Further Reading:
References:
Reported By: Florian Hansemann – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅



