Threat Insight
New WDAC Exploit Technique: Leveraging Policies to Disable EDRs and Evade Detection
Truesec has received information from internal threat intelligence sources about a new technique regarding threat actors using Windows Defender Application Control(WDAC) to push out their own, malicious policies.
The file “SiPolicy.p7b” contains policies that Windows OS and Windows Defender (AV) will listen to and your antivirus will apply the policies that this file contains before the EDR is executed. This means that an attacker that already has local access could use this to remotely deploy pre-made policies that prevents an EDR from launching, effectively avoiding detection. This technique could also be used for widespread policy distribution. By placing a WDAC policy file in a path for GPOs that is monitored by the domain controller, more hosts could be affected, ultimately spreading the attack.
Exploitation
A proof-of-concept (POC) has been released to GitHub[1]. According to Truesec’s internal intelligence, this technique has not yet been observed in the wild. However, due to its effectiveness and ease of use, it is expected to be utilized in the future.
Recommended Actions
1. Use Administrative Tiering in Active Directory.
2. Limit the ability to Create / Modify GPOs.
3. Use LAPS on all system.
4. Prohibit regular users from being local admins.
5. Deploy a blank WDAC Policy in Audit Mode.
Detection
The proof-of-concept has been tested by Truesec, confirming that this is a viable method to disable EDRs and avoid detection. Truesec has created custom detection rules, which are currently being analyzed and tested. An update to this notice will be sent as soon as the custom detection rules are distributed to all customers. Files and locations that could be leveraged to exploit this vulnerability: Filename: SiPolicy.p7b Path: \Windows\System32\CodeIntegrity\ (Administrator credentials necessary to write to this path) Files with .cip extension Path: \Windows\System32\CodeIntegrity\CiPolicies\Active