EDRChoker

EDRChoker uses Policy-based Quality of Service (QoS) to set hard bandwidth caps (throttling) on Endpoint Detection and Response (EDR) agents, causing them to always time out - effectively blocking them.

The rules take effect immediately and persist after the target reboots Windows.

EDRChoker relies on Windows' pacer.sys driver.

Command Line Syntax

EDRChoker.exe <ListFile>

To create QoS Policy for all process name in ListFile - Each line per process

EDRChoker.exe

To remove all installed QoS Policy

Links

EDRChoker: Choking The Telemetry Stream to Bypass Defenses

Some EDR/Antivirus have been successfully tested

• Elastic Defend
• Microsoft Defender for Endpoint (MDE)
• Tanium Threat Response Agent (EDR)
• Trendmicro Deep Security Agent
• Hurukai (HarfangLab EDR)
• Cortex XDR
• ...
• Please contact me if you successfully test it against any other EDR.

Demo Video

Youtube EDRChoker: https://youtu.be/hj05mT-45bo

🐦 Enjoying my work? Support the journey by following me on X

Author:

Two Seven One Three