incident
Attackers Use Malicious WDAC Policies to Disable EDR AgentsWDAC Bypass
Cybercriminals are deploying malicious Windows Defender Application Control (WDAC) policies to block EDR executables, drivers, and services, effectively disabling endpoint detection. The technique, previously a proof-of-concept called Krueger, is now used in active malware like DreamDemon, targeting EDR products including CrowdStrike and Microsoft Defender for Endpoint. This bypass undermines the detect-and-respond model by blinding sensors before they initialize.