mirror of
https://github.com/TwoSevenOneT/EDRChoker
synced 2026-06-13 17:53:33 +00:00
Two Seven One Three
46 lines
1.4 KiB
Markdown
46 lines
1.4 KiB
Markdown
# EDRChoker
|
|
|
|
EDRChoker uses **Policy-based Quality of Service (QoS)** to set hard bandwidth caps (throttling) on Endpoint Detection and Response (EDR) agents, causing them to always time out - effectively blocking them.
|
|
|
|
**The rules take effect immediately and persist after the target reboots Windows.**
|
|
|
|
EDRChoker relies on Windows' **pacer.sys** driver.
|
|
|
|
### Command Line Syntax
|
|
|
|
**EDRChoker.exe `<ListFile`>**
|
|
|
|
_To create QoS Policy for all process name in ListFile - Each line per process_
|
|
|
|
**EDRChoker.exe**
|
|
|
|
_To remove all installed QoS Policy_
|
|
|
|
## Links
|
|
|
|
[EDRChoker: Choking The Telemetry Stream to Bypass Defenses](https://www.zerosalarium.com/2026/06/edrchoker-choking-telemetry-stream-block-edr.html)
|
|
|
|
### Some EDR/Antivirus have been successfully tested
|
|
|
|
- **Elastic Defend**
|
|
- **Microsoft Defender for Endpoint (MDE)**
|
|
- **Tanium Threat Response Agent (EDR)**
|
|
- **Trendmicro Deep Security Agent**
|
|
- **Hurukai (HarfangLab EDR)**
|
|
- **Cortex XDR**
|
|
- ...
|
|
- _Please contact me if you successfully test it against any other EDR._
|
|
|
|
## Demo Video
|
|
|
|
Youtube EDRChoker: [https://youtu.be/hj05mT-45bo](https://youtu.be/hj05mT-45bo)
|
|
|
|
|
|
## 🐦 Enjoying my work? Support the journey by following me on X
|
|
|
|
[](https://x.com/TwoSevenOneT)
|
|
|
|
## Author:
|
|
|
|
[Two Seven One Three](https://x.com/TwoSevenOneT)
|