What happens when those who are supposed to protect, cause harm?

In their post, the authors Jonathan Beierle and Logan Goins, have described a technique through which Windows Defender Application Control (WDAC) can be leveraged to disable Endpoint Detection and Response (EDR) agents on a Windows machine. WDAC helps in preventing unauthorized applications and code from being executed on a machine via Software Restriction Policies.

This technique works by crafting and deploying a special WDAC policy. The policy must meet the following requirements:

• It should be in enforce mode.

• It should allow a generic path so executable (i.e. post-exploitation capability) may be staged for execution.

• It should be in single policy format for maximum compatibility.

Such a policy can be crafted using the App Control Policy Wizard. The generated policy can then be deployed on the target machine via SMB or a C2 agent. The policy needs to be stored in C:\Windows\System32\CodeIntegrity\. Therefore, write permission to this location are necessary for this technique to work. By default, the administrator account holds this permission. During my testing, a local account with administrator privileges did not work (as can be seen in the video below). However, that may require an additional step of disabling or bypassing User Access Control (UAC).

Once the policy has been uploaded, the target machine must be rebooted for the policy to take effect. When the machine reboots, the policy is applied before any EDR agents or drivers could load. Since the policy is set to enforce mode, it does not allow any EDR agents and drivers to load. Thus, helping red team operators evade detection via EDR agents. In their post, the authors have demonstrated the use of this technique on a local machine, a remote machine and entire domain via Group Policy Objects (GPO).

The authors have also released a tool, Krueger, that automates this technique.

I wanted to test it, so I spun up a small lab and setup the required infrastructure. Below is the list of infrastructure that I used in my lab:

• Windows 10 VM (target machine)

• Kali 2024.3 VM (attacker machine)

• Windows 11 VM (developer machine to compile and modify the tool)

• VMWare Workstation

• Elastic Defend Agent (enrolled to Elastic Security in an Elastic Cloud trial instance)

Note: I used Elastic Defend Agent for the demonstration because it’s free and a cloud-based trial is also available. This technique does not leverage any vulnerability in Elastic products or any other EDR products.

The following video provides the demonstration of Krueger in my lab.

Red Team Notes
- Krueger is a defence evasion tool that uses WDAC to stop EDR agents from loading during boot time.
- It requires administrator privileges to work correctly. So, the red team operator should already have obtained administrator access to the target machine.
- It requires the machine to be rebooted for the WDAC policy to be applied. This may limit its use case.
- It does not work on EDR agents which use Windows Hardware Quality Labs (WHQL) drivers. These drivers are allowed by default on WDAC policies and will allow WHQL signed EDR drivers to load despite their service binaries being blocked. 

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.

During my testing, I noticed the following:

• Krueger worked only with local Administrator account. It did not work with a local account with administrator privileges.

• It got detected as Trojan by Windows Defender on the target machine. This is most likely a false positive because:

  • I went through the code and did not find any trojan like functionality.

  • It did not get detected on other Windows machines with Windows Defender enabled.

• When run locally, it copied the policy but did not reboot the machine. I got access denied error most likely due to missing SeShutdownPrivilege in the token. I tried to enable this privilege but it did not work for me. However, the same tool ran perfectly fine when executed remotely.

• While I was able to upload files via smbmap, it did not work for executing commands. Therefore, I used crackmapexec for command execution via SMB.