Windows Defender Exploited to Bypass Cybersecurity Measures
/ 1 min read
🕵️♂️ Researchers reveal how Windows Defender can be weaponized against cybersecurity defenses. Jonathan Beierle and Logan Goins have identified a method for adversaries to exploit Microsoft’s Windows Defender Application Control (WDAC) to disable Endpoint Detection and Response (EDR) systems, undermining traditional security measures. Their research outlines a three-phase approach where attackers can deploy malicious WDAC policies to block EDR software, effectively neutralizing security tools. They developed a tool called Krueger to facilitate this process, allowing attackers to remotely disable EDR across networks. The researchers emphasize the difficulty in detecting such attacks and recommend organizations enforce strict WDAC policies and regularly verify configurations to mitigate risks. They caution that while WDAC is a valuable defensive tool, it can also be misused offensively.
