Hackers Exploit Windows Defender Policies to Shut Down EDR Agents

Cybercriminals are now weaponizing Windows Defender Application Control (WDAC) policies to disable Endpoint Detection and Response (EDR) agents en masse.

What began as a proof-of-concept research release in December 2024 has quickly evolved into an active threat, with multiple malware families adopting WDAC policy abuse to evade detection and block security tools entirely.

The original proof-of-concept, dubbed “Krueger,” demonstrated how an attacker could embed a custom WDAC policy that selectively blocked executable files and drivers belonging to major EDR vendors—including CrowdStrike, SentinelOne, Symantec, Tanium, Microsoft Defender for Endpoint, and Velociraptor.

By dropping the policy into the CodeIntegrity folder and triggering a group policy update, Krueger effectively prevented EDR services and drivers from loading on the target system.

Shortly after the disclosure, threat actors began deploying Krueger in the wild. A YARA rule established by the original researcher identified several new Krueger samples between January and August 2025, including SHA-256 ...