Windows Defender Turned Weapon: What NZ Businesses Need to Know About WDAC Exploits

When your own security software becomes the attacker's toolkit, you know the threat landscape has shifted. That's exactly what's happening with a new class of exploits targeting Windows Defender Application Control (WDAC) — as reported by Dark Reading.

For New Zealand businesses that rely on Microsoft's built-in security stack (and most SMEs do), understanding this threat isn't optional. Let's break down what's happening, why it matters, and what you can do about it.

What Is WDAC and Why Are Attackers Abusing It?

Windows Defender Application Control is a Microsoft feature designed to lock down which applications can run on a device. Administrators create policies that explicitly allow or block specific executables, helping prevent unauthorised software — including malware — from executing.

The problem? Security researchers have demonstrated that these same policies can be flipped against defenders. By crafting or deploying malicious WDAC policies, attackers can:

  • Block endpoint detection and response (EDR) agents from running
  • Disable antivirus products silently
  • Prevent security updates from executing
  • Create blind spots that persist across reboots

In essence, attackers are using a legitimate Microsoft security feature to systematically dismantle your other security tools — all while appearing to the operating system as authorised administrative activity.

The "Krueger" Tool

One proof-of-concept tool highlighted in the research, nicknamed Krueger, deploys a malicious WDAC policy during the boot process. Once applied, it prevents EDR solutions like CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint from loading at all.

The attack typically requires administrative privileges, which is why initial access remains the battleground — and why email security sits at the heart of this story.

Why This Matters for New Zealand Businesses

Kiwi SMEs are an increasingly attractive target. The NCSC's latest reports show phishing and business email compromise (BEC) remain the top initial access vectors for attacks on New Zealand organisations. Once an attacker gets a foothold — usually via a malicious email — techniques like WDAC abuse let them escalate, persist, and hide.

Consider a typical attack chain targeting an Auckland accounting firm:

  1. A staff member receives a spoofed email pretending to be from IRD or a known client.
  2. They click a link and enter credentials on a fake Microsoft 365 login page.
  3. The attacker uses those credentials to push malware via a legitimate-looking internal email.
  4. Once on a workstation with admin rights, they deploy a malicious WDAC policy.
  5. EDR is disabled. The attacker moves laterally, exfiltrates data, and deploys ransomware.

Every step after step 1 becomes dramatically easier if the first email ever lands in an inbox. This is why prevention starts at the email gateway.

5 Practical Steps to Reduce Your Exposure

You can't patch your way out of a feature being abused — but you can make it far harder for attackers to reach the stage where WDAC abuse is even possible.

1. Lock Down Email Authentication

Most successful intrusions start with a spoofed or phishing email. Strong SPF, DKIM, and DMARC records are your first line of defence. At minimum, your DMARC policy should be at quarantine or reject — not none.

Example DNS records for a typical NZ business domain:

; SPF record
yourdomain.co.nz.  TXT  "v=spf1 include:spf.protection.outlook.com -all"

; DMARC record (enforcement mode)
_dmarc.yourdomain.co.nz.  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.co.nz; ruf=mailto:dmarc@yourdomain.co.nz; fo=1; adkim=s; aspf=s"

2. Restrict Local Administrator Rights

WDAC policy deployment requires admin privileges. If standard users don't have local admin rights, attackers have to work a lot harder. Audit your endpoints — you'd be surprised how many NZ businesses still have "everyone is an admin" as their default.

3. Monitor WDAC Policy Changes

Microsoft logs WDAC policy activity in the Windows event log under Microsoft-Windows-CodeIntegrity/Operational. Forward these events to your SIEM or managed detection service, and alert on any unexpected policy deployment.

4. Use Signed\, Centrally-Managed WDAC Policies

If you use WDAC yourself, deploy signed policies via Intune or Group Policy. Signed policies can't be overwritten by unsigned malicious policies at the same enforcement level — closing off the Krueger-style attack path.

5. Train Staff on Modern Phishing

Today's phishing emails don't have broken English and dodgy logos. They often look indistinguishable from real IRD, ACC, or Xero notifications. Regular, scenario-based training is essential — and it should include simulated phishing campaigns tuned to the New Zealand threat landscape.

The Bigger Picture: Defence in Depth

The WDAC abuse story is a reminder that no single control is enough. Attackers will always find ways to turn tools against us — what matters is that they have to succeed at every stage, while defenders only need to catch them once.

For NZ SMEs, that means layering:

  • Email authentication (SPF, DKIM, DMARC)
  • User awareness and phishing resistance
  • Least-privilege access
  • EDR with tamper protection enabled
  • Centralised logging and alerting
  • Tested, offline backups

If any one of these fails, the others should catch the attacker before they get to the "disable our EDR with WDAC" stage.

Start With Your Email Posture

The vast majority of these sophisticated attacks begin with a single email slipping through. If your SPF, DKIM, and DMARC aren't configured correctly — or if you haven't checked them recently — you're leaving the front door open.

Try xteam's free MailCheck tool to instantly analyse your domain's email security posture. In under 30 seconds you'll see:

  • Whether your SPF, DKIM, and DMARC records are valid and enforcing
  • Any misconfigurations attackers could exploit
  • Clear, plain-English recommendations tailored for NZ businesses

Don't wait until a WDAC-style attack is already unfolding on your network. Close the door at the email gateway first.

Source: Exploits Turn Windows Defender Into Attacker's Tool — Dark Reading