Hackers Use Defender To Disable Security Software

We’ve observed an unsettling shift in the threat landscape: attackers are now weaponizing Windows Defender Application Control (WDAC) policies to suppress Endpoint Detection and Response (EDR) agents. By strategically deploying malicious policies, they’re able to block critical EDR components—ranging from services to executables—at system startup. These policies are placed within the system’s CodeIntegrity directory, effectively neutralizing security defenses even before they can engage.

This alarming tactic originated as a proof-of-concept tool dubbed “Krueger,” which demonstrated how WDAC mechanisms could be subverted. Since its release in December 2024, this concept has rapidly evolved into tangible, more advanced malware. Notably, a new strain called “DreamDemon,” written in C++ and embedding WDAC policy payloads, has surfaced. Unlike Krueger, DreamDemon incorporates stealthier capabilities such as file hiding, timestamp manipulation, deployment via SMB, and decoy log creation.

DreamDemon’s attack flow exemplifies technical sophistication: it loads embedded WDAC policy resources, drops them into the protected CodeIntegrity path, obscures them to evade detection, and even leverages Group Policy updates to enforce persistence. The policies follow a “blacklist”-style model that permits most system activity while specifically excluding EDR operations. Moreover, the technique supports wildcard file path targeting—particularly on recent operating systems like Windows 11 and Server 2025—making the threat both versatile and resilient.

From our strategic vantage point, the persistence of this technique—now nine months post-disclosure—highlights a critical gap in current defense architectures. Little progress has been made among vendors to deploy robust countermeasures. At TrustPoint, we believe this situation underscores the urgent need for proactive safeguards: vigilant WDAC policy governance, enhanced detection mechanisms, and strict administrative control. Only by anticipating and neutralizing such insider-leveraged attacks can organizations truly safeguard their endpoints.

To stay ahead of hackers, businesses need to have a security team looking for behaviors that may indicate an attack is taking place. At TrustPoint IT Solutions, we focus on Cyber Security and protecting your business.

For more information about this threat, read about it at Cyber Security News