WDAC

A new attack technique exploits Windows Defender Application Control (WDAC) to disable Endpoint Detection and Response (EDR) sensors on Windows systems. Attackers with administrative privileges can create and deploy custom WDAC policies that prevent EDR sensors from loading during system boot, leaving networks vulnerable. The attack involves three phases: crafting a malicious WDAC policy, rebooting the machine to enforce the policy, and disabling the EDR upon reboot. A proof-of-concept tool called "Krueger" has been developed for this purpose. Mitigation strategies include enforcing WDAC policies via Group Policy Objects (GPOs), applying the principle of least privilege, and implementing secure administrative practices.