A new open-source tool, EDRChoker, has emerged as a novel solution for undermining Endpoint Detection and Response (EDR) agents. This tool, rather than terminating processes or injecting code, uses Windows’ Policy-Based Quality of Service (QoS) to significantly reduce network bandwidth, effectively isolating EDR agents from their cloud management systems.
Innovative Strategy for EDR Interference
Crafted by the security researcher known as @TwoSevenOneT, EDRChoker leverages Windows’ native QoS capabilities to throttle the bandwidth of EDR processes nearly to zero. This method renders EDR agents incapable of maintaining their essential connection with cloud-based management servers, which are vital for data collection, threat analysis, and administrative oversight.
By severing this connection, EDR agents are effectively rendered inactive, unable to alert on threats or receive updates and commands from network administrators. This inherent dependency on cloud connectivity is the precise vulnerability that EDRChoker exploits.
Technical Mechanisms Behind EDRChoker
Traditionally, red teams have utilized methods such as Windows Defender Firewall rules and Windows Filtering Platform API calls to disrupt EDR communications. Tools like EDRSilencer deploy the FwpmFilterAdd0 API to block EDR packets selectively. However, these methods often trigger forensic alerts due to packet blocking and dropping, which are detected by security platforms.
EDRChoker employs a different tactic by using the New-NetQosPolicy command to throttle EDR processes to 8 bits per second. This rate is insufficient for completing even a basic TLS handshake, causing EDR agents to time out without generating detectable firewall events. The effectiveness lies in its use of pacer.sys, an NDIS Lightweight Filter Driver that operates at a lower level in the network stack than traditional filtering methods.
Implications for Cybersecurity Defense
EDRChoker’s technique highlights a significant vulnerability in EDR systems that rely heavily on constant cloud connectivity. As attackers exploit deeper layers of the Windows network stack, it becomes crucial for defenders to enhance their monitoring strategies to prevent potential blind spots in security operations.
The tool, available on GitHub, offers two operating modes: ‘Remove mode’ for purging existing QoS policies and ‘Install mode’ for generating new, uniquely named QoS policies based on EDR process names. This ensures that no two deployments are identical, complicating detection efforts.
In summary, EDRChoker serves as a reminder of the critical need for robust cybersecurity practices that anticipate and mitigate sophisticated tactics targeting network vulnerabilities.
