Labs Team Uncovers Abuse of WDAC in the Wild to Disable EDR

During an IR engagement, Beazley Security discovered threat actors using novel techniques to abuse Windows Defender Application Control (WDAC) to disable EDR.

Beazley Security Labs has published groundbreaking research into the real-world abuse of Windows Defender Application Control (WDAC) to disable endpoint detection and response (EDR) solutions. WDAC is a Windows utility that determines what software is allowed to run on an endpoint.

During an incident response (IR) engagement, our team uncovered threat actors using novel techniques that allowed them to completely disable EDR products and carry out their attacks undetected. As part of our research, we discovered that the default driver block lists that Microsoft recommends accidentally includes a rule that prevents all EDR products we've tested from initializing, except Windows Defender for Endpoint. The full report, including technical details, can be found at labs.beazley.security.

Here's the short version.

Key Findings

The research revealed that Microsoft's default driver block lists for WDAC inadvertently include rules that prevent many major EDR tools from initializing. This vulnerability was exploited by attackers to bypass EDR protections, highlighting a critical gap in the current security landscape.

Collaborative Efforts

To address this issue, we coordinated with leading EDR vendors such as SentinelOne, CrowdStrike, and Elastic. Our collaboration with SentinelOne ensured that their detection capabilities were updated to mitigate this attack. We also worked with other industry leaders to raise awareness and drive improvements in EDR solutions.

Impact and Implications

This research is a significant step forward in understanding and addressing the vulnerabilities within WDAC configurations. By bringing this issue to light, Beazley Security Labs aims to enhance the overall security posture of organizations and protect them from sophisticated cyber threats. The coordinated disclosure with SentinelOne ensures that both their clients and ours have protection as the research is being published.

Looking Ahead

This research marks just the beginning of Beazley Security labs efforts to uncover and mitigate advanced threats. We are committed to continuing our research and collaboration with industry partners to stay ahead of evolving cyber threats.

For the full details and a technical breakdown of how this attack worked, please visit https://labs.beazley.security/articles/disabling-edr-with-wdac.

During the investigation of this attack, Beazley Security Labs discovered that Microsoft's default recommended driver block list for WDAC includes a rule that prevents most EDR products we've tested from initializing.

Francisco Donoso Chief Technology Officer

Beazley Security Labs has published groundbreaking research into the real-world abuse of Windows Defender Application Control (WDAC) to disable endpoint detection and response (EDR) solutions. WDAC is a Windows utility that determines what software is allowed to run on an endpoint.

During an incident response (IR) engagement, our team uncovered threat actors using novel techniques that allowed them to completely disable EDR products and carry out their attacks undetected. As part of our research, we discovered that the default driver block lists that Microsoft recommends accidentally includes a rule that prevents all EDR products we've tested from initializing, except Windows Defender for Endpoint. The full report, including technical details, can be found at labs.beazley.security.

Here's the short version.

Key Findings

The research revealed that Microsoft's default driver block lists for WDAC inadvertently include rules that prevent many major EDR tools from initializing. This vulnerability was exploited by attackers to bypass EDR protections, highlighting a critical gap in the current security landscape.

Collaborative Efforts

To address this issue, we coordinated with leading EDR vendors such as SentinelOne, CrowdStrike, and Elastic. Our collaboration with SentinelOne ensured that their detection capabilities were updated to mitigate this attack. We also worked with other industry leaders to raise awareness and drive improvements in EDR solutions.

Impact and Implications

This research is a significant step forward in understanding and addressing the vulnerabilities within WDAC configurations. By bringing this issue to light, Beazley Security Labs aims to enhance the overall security posture of organizations and protect them from sophisticated cyber threats. The coordinated disclosure with SentinelOne ensures that both their clients and ours have protection as the research is being published.

Looking Ahead

This research marks just the beginning of Beazley Security labs efforts to uncover and mitigate advanced threats. We are committed to continuing our research and collaboration with industry partners to stay ahead of evolving cyber threats.

For the full details and a technical breakdown of how this attack worked, please visit https://labs.beazley.security/articles/disabling-edr-with-wdac.

No items found.

Learn more

For more on the critical cybersecurity controls you should be using and how they can protect your organization, replay the webinar on demand at:

Top Threats for 2025 (Webinar Replay)

watch webinar

Beazley Security can help protect you

We offer services and solutions to help you prepare and stay resilient in the changing threat landscape. Prepare to learn more about how we can help you

Visit Solutions