EDR Bypass Techniques

Defense Evasion T1562.001 T1562.006 T1055.001 T1014 Detection difficulty: HIGH Prevalence: HIGH

Adversaries impair or neutralize EDR/AV products before executing their primary payload to prevent detection and response. Techniques span from user-mode API unhooking (removing hooks EDRs inject into ntdll.dll) through kernel-level driver exploitation (BYOVD, Bring Your Own Vulnerable Driver) to direct process termination of security tools. Despite the diversity of techniques, the chokepoint is invariant: admin/SYSTEM privileges are always required, and the bypass mechanism always produces a kernel-observable artifact. This is a driver load event, a VirtualProtect call against protected system memory, or direct termination of a security process. As of 2024, approximately 48% of high-severity ransomware attacks incorporate purpose-built EDR disablement (Cisco Talos). BYOVD has become a de facto phase in major ransomware deployment chains.

By @iimp0ster · Updated 2026-03-12 · View source YAML

Attack Chokepoints 3 invariant stages

Each stage is an invariant condition the attacker must satisfy, regardless of tool, variant, or threat actor. Detection at any stage breaks the chain.

1 Privilege Escalation ▶

Prerequisites

Admin or SYSTEM privileges on target system (required without exception)
Execution capability on target (process creation for bypass tool)
{"For BYOVD"=>"a vulnerable signed driver loadable via NtLoadDriver or SCM"}
{"For kernel callback removal"=>"ability to read/write kernel memory (via vulnerable driver)"}
{"For user-mode techniques"=>"VirtualProtect/NtProtectVirtualMemory access to target DLL memory"}
Target EDR must be using one of the impaired mechanisms (user-mode hooks, ETW, kernel callbacks)

Input Attacker has code execution on the target but lacks admin rights

Chokepoint Must obtain admin or SYSTEM privileges. No BYOVD, callback removal, or PPL abuse works without elevation.

Observable Sysmon EID 1 showing privilege escalation (token manipulation, UAC bypass, service exploitation) or process running with high integrity level

Why unavoidable

Kernel drivers require admin to load. Process termination of protected processes requires SYSTEM. No EDR bypass variant works from a standard user context.

Data Sources

Sysmon Event ID 1 (Process Creation)
Windows Security Event ID 4688 (Process Creation with Token Elevation)
Windows Security Event ID 4672 (Special Privilege Logon)

View rule →

↓ Attacker has admin/SYSTEM privileges

2 EDR Telemetry Disruption ▶

Input Attacker has admin/SYSTEM privileges

Chokepoint Must disrupt EDR telemetry collection. Options include loading a kernel driver (BYOVD), modifying kernel memory (callback removal), patching userland hooks (ntdll unhooking, direct syscalls), patching ETW/AMSI functions, blocking EDR network traffic (WFP filters), or booting into Safe Mode where EDR services don't load.

Observable Kernel path: Sysmon EID 6 (Driver Loaded) for BYOVD variants. Userland path: Sysmon EID 7 (second ntdll.dll loaded) or ETW-TI VirtualProtect on EtwEventWrite/AmsiScanBuffer. Network path: Security EID 5441 (WFP filter installed). Safe Mode: Sysmon EID 1 showing bcdedit with safeboot argument.

Why unavoidable

EDR telemetry must be disrupted before the primary payload runs. Whether the attacker targets the kernel (BYOVD, callbacks), userland (hooks, ETW, AMSI), network (WFP), or boot environment (Safe Mode), each path produces observable artifacts specific to that mechanism.

Data Sources

Sysmon Event ID 6 (Driver Loaded)
Sysmon Event ID 1 (Process Creation)
Windows Security Event ID 4697 (Service Installed)

View rule →

↓ Kernel protections are bypassed or disabled

3 Security Process Impairment ▶

Input Kernel protections are bypassed or disabled

Chokepoint Must stop, kill, or blind the security agent process/service to prevent detection of the actual payload

Observable Process termination of known EDR processes (MsMpEng.exe, CSFalconService.exe, SentinelAgent.exe). Service state changes (sc stop, net stop). Sysmon EID 10 with PROCESS_TERMINATE access rights to security processes.

Why unavoidable

The EDR agent must be neutralized before the real payload runs. If the agent is still collecting telemetry, the payload gets detected. The termination/impairment event is the artifact.

Data Sources

Sysmon Event ID 10 (Process Access)
Windows System Event ID 7036 (Service State Change)
Sysmon Event ID 1 (sc.exe / net.exe invocation)

View rule →

Variations 14 variants tracked

Tools and methods that exploit this chokepoint. The list grows. The chokepoint doesn't change.

BYOVD — EDRKillShifter 2024-Q3 Active ▶

Deployed by RansomHub (August 2024); Go-based loader that decrypts an embedded payload and exploits multiple vulnerable kernel drivers in sequence to remove EDR callbacks. Subsequently adopted by Play, Medusa, and BianLian. Requires admin privileges and a password string to decrypt the embedded driver payload.

Command / artifacts

Deployed as a pre-ransomware step. Attacker already has admin privileges. Password decrypts embedded vulnerable driver payload. Second stage uses self-modifying code (runtime instruction rewriting).

EDRKillShifter.exe <64-char-password-string>

Sysmon EID 11: .sys file written to %TEMP% with random 4-10 char name
Sysmon EID 6: Unsigned or newly signed driver loaded
Sysmon EID 1: EDRKillShifter.exe (or renamed) with long password argument
Windows System EID 7045: New service installed for the dropped driver
Process termination of EDR processes (MsMpEng.exe, CSFalconService.exe, etc.)

Same chokepoint: admin privileges → driver written to TEMP → driver loaded as service (EID 6) → EDR process termination

Source: www.sophos.com →

BYOVD — Terminator (Spyboy) 2023-Q1 Active ▶

Sold on Russian forum RAMP for $300-$3,000; exploits vulnerable Zemana antimalware driver (zam64.sys, CVE-2022-42045) to kill 23+ EDR/AV products including CrowdStrike, Sophos, Defender, ESET, and Kaspersky. Open-source clones (SharpTerminator, Ternimator) widely available by 2024.

Command / artifacts

Requires admin privileges and UAC acceptance. Drops the legitimate Zemana anti-malware driver with a randomized filename to System32\drivers.

Terminator.exe
  → drops zam64.sys as C:\Windows\System32\drivers\<random>.sys
  → sc create <random_name> type=kernel binPath=C:\Windows\System32\drivers\<random>.sys
  → sc start <random_name>
  → IOCTL 0x80002010 (register PID as trusted)
  → IOCTL to terminate target PIDs

Sysmon EID 11: zam64.sys content written with random filename to System32\drivers
Sysmon EID 6: Driver loaded, signed by "Zemana Ltd."
Windows System EID 7045: New kernel service created
Sysmon EID 1: Process creation with admin/SYSTEM context
Multiple EDR process terminations in rapid succession

Same chokepoint: admin + UAC acceptance → Zemana driver dropped to System32 → driver loaded as service (EID 6) → IOCTL-based EDR process kill

Source: www.sentinelone.com →

BYOVD — AuKill 2023-Q1 Active ▶

Uses Microsoft Process Explorer driver v16.32 (PROCEXP.SYS). Observed in Medusa Locker and LockBit ransomware deployments since January 2023. Based on the open-source Backstab tool.

Command / artifacts

Checks for admin rights; if not SYSTEM, impersonates TrustedInstaller. V6+ also unloads EDR drivers to break installation completely.

AuKill.exe startkey
  → copies self to C:\Windows\System32\
  → drops PROCEXP.SYS to C:\Windows\System32\drivers\
  → impersonates TrustedInstaller.exe for SYSTEM escalation
  → sc create / sc start for PROCEXP driver
  → enters loop: TerminateViaProcexp() against EDR PIDs

Sysmon EID 11: PROCEXP.SYS written to System32\drivers (legitimate PE signed by Microsoft)
Sysmon EID 6: Process Explorer driver loaded (v16.32, not current v152)
Sysmon EID 1: AuKill process with "startkey" command-line argument
Sysmon EID 1: TrustedInstaller impersonation activity
Windows System EID 7045: Service install for PROCEXP driver
Windows System EID 7036: EDR services transitioning to stopped state

Same chokepoint: admin → TrustedInstaller impersonation → PROCEXP.SYS dropped and loaded (EID 6) → EDR processes and services terminated

Source: www.sophos.com →

BYOVD — POORTRY / STONESTOP 2022-Q4 Active ▶

Custom-built kernel driver (POORTRY) with dedicated userland loader (STONESTOP). Not a repurposed vulnerable driver. It is a purpose-built malicious driver signed with stolen/forged certificates. Used by Cuba, BlackCat, Medusa, LockBit, RansomHub. Evolved from process termination to full EDR file wiping in 2024.

Command / artifacts

Certificate roulette: multiple variants with different certs deployed in same attack. 2024+: deletes EDR executable files and DLLs from disk. Operates in two deletion modes: by file type or by specific filename.

Stonestop.exe (packed with ASMGuard/VMProtect/Themida)
  → drops POORTRY driver (masquerades as idmtdi.sys / Internet Download Manager)
  → driver signed with stolen cert (rotates: "bopsoft", "Evangel Technology", "FEI XIAO", etc.)
  → sends IOCTLs to:
    a) Remove kernel notify callbacks
    b) Terminate EDR processes
    c) Delete EDR files from disk (2024+ capability)

Sysmon EID 11: Driver file dropped, masquerading as legitimate software driver
Sysmon EID 6: Driver loaded with non-standard or recently issued certificate
Windows System EID 7045: Service created for malicious driver
Windows System EID 7034: EDR service terminated unexpectedly
Sysmon EID 23/26: File deletion events for EDR components
Security EID 4616: System time changed (timestamp forging for DSE bypass)

Same chokepoint: admin → Stonestop drops POORTRY driver → driver loaded with forged/stolen cert (EID 6) → kernel callbacks removed → EDR processes killed → EDR files deleted

Source: www.sophos.com →

Kernel Callback Removal (EDRSandblast) 2022-Q1 Active ▶

Directly removes registered kernel callbacks (PsSetCreateProcessNotifyRoutine, PsSetLoadImageNotifyRoutine) from the kernel callback array, blinding EDRs at the kernel level without killing their processes. Uses hardcoded kernel offsets to avoid BSOD. Absence of expected callbacks is detectable via memory analysis.

Command / artifacts

EDR processes continue running but receive no kernel notifications. No process termination events — EDR stays alive but blinded.

EDRSandblast.exe [--usermode | --kernelmode | --all]
  → uses ntoskrnl.exe offsets database to locate callback arrays
  → patches PsSetCreateProcessNotifyRoutine callbacks
  → patches PsSetLoadImageNotifyRoutine callbacks
  → patches CmRegisterCallback callbacks
  → optionally unhooks SSDT entries

Sysmon EID 6: Vulnerable driver loaded (used for kernel R/W)
Sysmon EID 1: EDRSandblast execution with --kernelmode or --all flags
Memory analysis: Absence of expected kernel callbacks (PsNotifyRoutine array zeroed)
No process termination events. EDR processes stay alive but blinded.

Same chokepoint: admin → vulnerable driver loaded for kernel R/W → kernel callback arrays patched → EDR blinded (no process/image notifications)

Source: github.com →

PPL Abuse (PPLKiller / PPLdump) 2020-Q4 Active ▶

Protected Process Light (PPL) guards LSA and security processes from user-mode attacks. PPLKiller uses a kernel driver to strip PPL protection, enabling termination of EDR processes and LSASS dumping even with RunAsPPL enabled. PPLdump was patched by Microsoft; PPLKiller and Ghost-in-the-PPL variants remain active.

Command / artifacts

Requires kernel-level access (typically via BYOVD). Modifies the _PS_PROTECTION field in the target process EPROCESS structure to remove PPL flag.

PPLKiller.exe /installDriver
PPLKiller.exe /disablePPL <target_pid>
PPLKiller.exe /dumpProcess <target_pid>

Sysmon EID 6: Vulnerable driver loaded
Sysmon EID 1: PPLKiller/PPLdump execution with PID argument
Sysmon EID 10: Process access to formerly-protected process with full access rights
Process termination of PPL-protected EDR process

Same chokepoint: admin → vulnerable driver for kernel R/W → PPL flag stripped from EPROCESS → EDR process terminated or dumped

Source: github.com →

User-mode Unhooking (ntdll Fresh Copy) 2020-Q1 Active ▶

EDRs inject hooks into ntdll.dll at process startup to intercept syscalls. Attackers restore the original (unhooked) ntdll.dll by reading a clean copy from a suspended process or directly from disk, then overwriting the hooked version. Eliminates all user-mode EDR visibility without touching the kernel.

Command / artifacts

Technique is embedded in malware code, not a standalone tool. Kernel-level ETW Threat-Intelligence providers still fire on sensitive operations.

# Embedded in malware. No standalone CLI.
ntdll_base = LoadLibraryEx("C:\\Windows\\System32\\ntdll.dll", LOAD_LIBRARY_AS_DATAFILE)
# Overwrite .text section of hooked ntdll with clean copy

Sysmon EID 7: Second ntdll.dll loaded into process memory
ETW: Microsoft-Windows-Kernel-Process shows unusual syscall patterns
Memory analysis: Process with two ntdll.dll mappings or modified .text section

Same chokepoint: malware execution → fresh ntdll.dll loaded or direct syscalls → EDR userland hooks bypassed

Source: www.ired.team →

Direct and Indirect Syscalls (SysWhispers, Hell's Gate, Halo's Gate) 2019-Q3 Active ▶

Bypass user-mode EDR hooks by invoking Windows kernel syscalls directly without passing through ntdll.dll hook stubs. Direct syscalls embed syscall instructions in attacker code; indirect syscalls jump to the syscall instruction inside ntdll for a legitimate call stack appearance. SysWhispers3 (2022) adds randomized jump targets.

Command / artifacts

Technique is embedded in malware/implant code. Effective against user-mode-only EDRs; ineffective against kernel-level callback monitoring.

# Direct syscall via assembly:
mov r10, rcx
mov eax, <syscall_number>  # e.g., 0x0026 for NtOpenProcess
syscall

ETW: Microsoft-Windows-Kernel-Process shows unusual syscall patterns
Call stack analysis: syscall return address not within ntdll.dll memory range
No single CLI command. Technique is embedded in malware code.

Same chokepoint: malware execution → direct syscall instructions bypass ntdll hooks → EDR userland visibility bypassed

Source: github.com →

ETW Patching (EtwEventWrite) 2020-Q2 Active ▶

Patches EtwEventWrite or NtTraceEvent with a RET (0xC3) opcode to prevent user-mode ETW events from firing. Frequently combined with AMSI bypass. Kernel-mode ETW Threat-Intelligence providers (ETW-TI) operate in ring-0 and are unaffected.

Command / artifacts

Used by CobaltStrike, Meterpreter, and custom loaders. Blinds ETW-based detections without killing any processes.

# Patches EtwEventWrite to return immediately:
# VirtualProtect(EtwEventWrite, PAGE_EXECUTE_READWRITE)
# Write 0xC3 (RET) to first byte
# VirtualProtect(EtwEventWrite, PAGE_EXECUTE_READ)

ETW-TI: VirtualProtect call targeting EtwEventWrite address
Memory analysis: First byte of EtwEventWrite is 0xC3 (RET)
Absence of expected ETW events from a process that should be generating them

Same chokepoint: malware execution → VirtualProtect on EtwEventWrite → ETW event stream silenced

Source: blog.xpnsec.com →

AMSI Bypass (AmsiScanBuffer Patch) 2019-Q1 Declining ▶

Patches AmsiScanBuffer to return AMSI_RESULT_CLEAN, preventing script content scanning by PowerShell and other AMSI-integrated hosts. Largely mitigated by modern EDRs via ETW Threat-Intelligence monitoring. Still attempted but increasingly flagged.

Command / artifacts

One-liner PowerShell AMSI bypass. Blinds script-based detection without disabling EDR. Increasingly detected by memory protection monitoring.

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

ETW-TI: VirtualProtect call targeting AmsiScanBuffer address
PowerShell ScriptBlock logging may capture the bypass attempt
Memory analysis: AmsiScanBuffer patched to return AMSI_RESULT_CLEAN

Same chokepoint: script execution → AmsiScanBuffer patched → script content scanning bypassed

Source: www.cyberark.com →

EDRSilencer 2024-Q2 Active ▶

Blocks EDR network communication using Windows Filtering Platform (WFP) callout drivers to prevent telemetry and alerts from reaching the management console. Does not kill EDR processes. Instead creates a silent EDR that cannot report. Requires admin privileges.

Command / artifacts

Alternative to process termination. EDR stays alive but isolated from its management plane.

EDRSilencer.exe blockedr
# Enumerates running EDR processes
# Creates WFP filters blocking their outbound network traffic
# EDR continues running but telemetry never reaches console

Security EID 5441: WFP filter installation
Sysmon EID 1: EDRSilencer process execution
Network monitoring: EDR management traffic drops to zero
WFP filter audit: New persistent filters targeting security product executables

Same chokepoint: admin → WFP filters installed blocking EDR traffic (EID 5441) → EDR telemetry silenced

Source: github.com →

Module Stomping / Reflective DLL Injection 2014-Q1 Active ▶

Module stomping overwrites a legitimately loaded DLL memory with shellcode, executing from within a trusted DLL address space. Reflective DLL injection loads a DLL entirely from memory without the Windows loader. Both evade RWX memory detections. Still used in Cobalt Strike and Havoc.

Command / artifacts

Technique is built into C2 frameworks (Cobalt Strike, Havoc). Leaves no disk artifact for the injected code.

# Embedded in C2 frameworks. No standalone CLI.
# 1. Load legitimate DLL (e.g., amsi.dll)
# 2. Overwrite .text section with shellcode
# 3. Execute from legitimate DLL's address space

Sysmon EID 7: DLL loaded then memory region changed to RWX
ETW-TI: VirtualProtect calls on legitimate DLL memory regions
Memory analysis: DLL .text section hash mismatch with on-disk version

Same chokepoint: C2 execution → legitimate DLL memory overwritten with shellcode → code runs from trusted address space

Source: www.ired.team →

SafeMode Boot EDR Bypass 2019-Q4 Active ▶

Boot Windows into Safe Mode where EDR services are not configured to load. Register ransomware as RunOnce startup item, reboot into Safe Mode, encrypt without EDR running. Used by Snatch, REvil, BlackMatter, AvosLocker.

Command / artifacts

Sets next boot to Safe Mode (minimal, no networking). Registers ransomware as RunOnce entry. Forces immediate reboot. EDR services are not configured for Safe Mode boot.

bcdedit /set {default} safeboot minimal
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "payload" /t REG_SZ /d "C:\temp\ransomware.exe" /f
shutdown /r /f /t 0

Sysmon EID 1: bcdedit.exe with /set and safeboot arguments
Sysmon EID 13: Registry modification to RunOnce key
Windows System EID 1074: System shutdown/restart initiated
Post-reboot: Ransomware process running with no EDR telemetry

Same chokepoint: admin → bcdedit sets Safe Mode boot → ransomware registered in RunOnce → reboot → EDR absent → encryption

Source: www.sophos.com →

BlackSanta EDR Killer 2026-Q1 Active ▶

Russian-speaking threat actor delivers BlackSanta EDR killer via social engineering targeting HR departments. Likely uses BYOVD or kernel callback removal to disable EDR products. Source link needed →

Detection Strategy

Rules organized by the chokepoint stage they detect. Each stage has one or more rules at different maturity levels.

1 Privilege Escalation

2 EDR Telemetry Disruption

3 Security Process Impairment

Identify all kernel driver load events in the environment, focusing on non-Mi...

Research High FP

▶

Goal

Identify all kernel driver load events in the environment, focusing on non-Microsoft and recently signed drivers

Log Sources

Sysmon Event ID 6 (Driver Loaded)
Windows Security Event ID 4688 (Process Creation)
Windows System Event ID 7045 (Service Installed)

FP Rate

High

Use Case

Build baseline of all drivers loaded in the environment; identify gaps in driver allowlisting; compare against Microsoft Vulnerable Driver Blocklist

Detection Logic

Sysmon EID 6 driver loads where Signature is non-Microsoft, SignatureStatus is not Valid, the driver was signed within the last 90 days, or the hash matches the Microsoft Vulnerable Driver Blocklist.

Sigma Rule — Research Level

GitHub → Download

title: EDR Bypass — All Non-Microsoft Kernel Driver Loads (Research Baseline)
id: a1f3c2e4-9b7d-4e6a-8c0f-2d5b7e9f1a3c
status: experimental
description: >
  Detects kernel driver loads where the driver is unsigned, revoked, or signed by a
  non-Microsoft publisher. Baseline rule for BYOVD landscape mapping.
references:
  - https://attack.mitre.org/techniques/T1562/001/
  - https://attack.mitre.org/techniques/T1068/
  - https://www.loldrivers.io/
  - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
author: "@iimp0ster"
date: 2026/03/08
tags:
  - attack.defense_evasion
  - attack.t1562.001
  - attack.privilege_escalation
  - attack.t1068
  - detection.maturity.research
logsource:
  product: windows
  service: sysmon
detection:
  selection_unsigned:
    EventID: 6
    Signed: 'false'
  selection_invalid_sig:
    EventID: 6
    SignatureStatus|contains:
      - 'Revoked'
      - 'Expired'
      - 'Invalid'
      - 'Untrusted'
      - 'BadSignature'
  # Known BYOVD driver hashes — populate from LOLDrivers (loldrivers.io)
  # and Microsoft Vulnerable Driver Blocklist for your environment.
  # selection_known_byovd_hashes:
  #   EventID: 6
  #   Hashes|contains:
  #     - 'SHA256=<real_hash_from_loldrivers>'
  # Do NOT use placeholder values — verify each hash against a known-bad driver.
  filter_legit_software:
    # Tune for your environment — add legitimate software that triggers this rule
    ImageLoaded|endswith:
      - '\placeholder_tune_for_your_env.sys'
  condition: (selection_unsigned or selection_invalid_sig) and not filter_legit_software
falsepositives:
  - Legitimate third-party hardware drivers (GPU, NIC, storage controllers) with expired certificates
  - Security software drivers (EDR/AV agents) signed by security vendors
  - Development/test environments with self-signed drivers
  - Older enterprise software with legacy unsigned kernel components
  - Microsoft WHQL-signed drivers that have since had certificates expire
level: informational

Raw Log Samples 4 samples

Real-world log events produced by this technique and which Sigma rules they trigger.

EID 6 Sysmon Vulnerable/recently-signed kernel driver loaded. BYOVD technique initiation. ▶

EventID: 6 (Driver Loaded) UtcTime: 2024-08-22 03:44:11.774 ImageLoaded: C:\Windows\Temp\truesight.sys Hashes: SHA256=3BE39706C4B3B49B8D5C49FEF3EFC2B748D6B3F8A1D0E9C2B4A6F8D0E2C4A6B8 Signed: true Signature: Raynet Inc. SignatureStatus: Valid # Driver signed by "Raynet Inc.", a certificate issued 6 days prior to this event # Hash matches Microsoft Vulnerable Driver Blocklist (truesight.sys / RogueKiller driver) # Research rule: non-Microsoft driver OR recently-signed OR blocklist match

EID 10 Sysmon BYOVD process opens handle to EDR process. Pre-kill access request. ▶

EventID: 10 (ProcessAccess) UtcTime: 2024-08-22 03:44:12.891 SourceProcessGUID: {d4e5f6a7-4567-8901-defa-123456789012} SourceProcessId: 2048 SourceImage: C:\Windows\Temp\killer.exe TargetProcessGUID: {00000000-0000-0000-0000-000000000000} TargetProcessId: 1876 TargetImage: C:\Program Files\Windows Defender\MsMpEng.exe GrantedAccess: 0x1FFFFF # PROCESS_ALL_ACCESS from non-trusted process to security process # Follows driver load within 5 minutes. Hunt rule correlation.

EID 7036 Windows Event Log Windows Defender service stopped after BYOVD driver loaded ▶

EventID: 7036 (The service entered the stopped state) TimeCreated: 2024-08-22T03:44:13.4417820Z Channel: System param1: Windows Defender Antivirus Service param2: stopped # WinDefend stops within 120 seconds of driver load event # Combined with EID 6 (driver) + EID 10 (process access) = full Analyst kill chain

EID 7040 Windows Event Log Attacker disables WinDefend to prevent restart after stopping it ▶

EventID: 7040 (The start type of the service was changed) TimeCreated: 2024-08-22T03:44:13.6124330Z Channel: System param1: Windows Defender Antivirus Service param2: disabled # Service start type changed to "disabled" immediately after service stop # Prevents restart via Task Scheduler or manual sc start

Emulation

ATT&CK: T1562.001 Simulates EDR process handle opening, service stop/disable, and driver install event powershell ▶

⚠ Lab use only. Requires Administrator. Temporarily stops WinDefend for service stop telemetry (re-enables immediately). Does NOT load vulnerable kernel drivers. Run in isolated lab VM only.

POWERSHELL

GitHub → Download

#Requires -Version 5.1
# MITRE ATT&CK: T1562.001 — Impair Defenses: Disable or Modify Tools
# Simulates service-stop and filter-driver disable commands targeting security software.

[CmdletBinding()]
param(
    [switch]$SkipServiceStop,
    [switch]$CleanupOnly
)

Set-StrictMode -Version Latest
$ErrorActionPreference = 'Continue'   # Don't stop on access-denied errors

function Write-Step ([string]$Msg) { Write-Host "[*] $Msg" -ForegroundColor Cyan }
function Write-Ok   ([string]$Msg) { Write-Host "[+] $Msg" -ForegroundColor Green }
function Write-Warn ([string]$Msg) { Write-Host "[!] $Msg" -ForegroundColor Yellow }

function Remove-Artefacts {
    # Remove test service if it exists
    $svc = Get-Service -Name 'EDRBypassTestSvc' -ErrorAction SilentlyContinue
    if ($svc) {
        sc.exe stop EDRBypassTestSvc 2>&1 | Out-Null
        sc.exe delete EDRBypassTestSvc 2>&1 | Out-Null
        Write-Ok "Test service EDRBypassTestSvc removed"
    }
}

if ($CleanupOnly) { Remove-Artefacts; exit 0 }

# Check admin
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(
    [Security.Principal.WindowsBuiltInRole]::Administrator)
if (-not $isAdmin) {
    Write-Warn "Not running as Administrator. Some steps will generate DENIED telemetry only."
    Write-Warn "Rerun as Administrator for full fidelity."
}

Write-Host ""
Write-Host "=== EDR Bypass Emulation ===" -ForegroundColor Magenta
Write-Host "    T1562.001 | Detection Chokepoints Project" -ForegroundColor DarkGray
Write-Host ""

Write-Step "Step 1/3 — Opening process handle to MsMpEng.exe (Sysmon EID 10)"
Write-Verbose "  Access rights: PROCESS_ALL_ACCESS (0x1FFFFF) — same as BYOVD tool pre-kill"
Write-Verbose "  Note: EID 10 fires even if OpenProcess returns ACCESS_DENIED"

Add-Type -TypeDefinition @'
using System;
using System.Runtime.InteropServices;

public class ProcessAccess {
    [DllImport("kernel32.dll", SetLastError = true)]
    public static extern IntPtr OpenProcess(uint dwAccess, bool bInheritHandle, int dwPid);

    [DllImport("kernel32.dll", SetLastError = true)]
    public static extern bool CloseHandle(IntPtr hObject);

    public static string TryOpen(int pid) {
        // PROCESS_ALL_ACCESS — this is what a BYOVD tool requests before terminating EDR
        IntPtr hnd = OpenProcess(0x1FFFFF, false, pid);
        if (hnd != IntPtr.Zero) {
            CloseHandle(hnd);
            return "GRANTED";
        }
        return "DENIED (error=" + Marshal.GetLastWin32Error() + ")";
    }
}
'@

# Find MsMpEng.exe (Windows Defender) — the canonical EDR bypass target
$securityProcs = @('MsMpEng', 'SentinelAgent', 'CSFalconService', 'SophosFileScanner', 'CylanceSvc')
$found = $false
foreach ($procName in $securityProcs) {
    $proc = Get-Process -Name $procName -ErrorAction SilentlyContinue | Select-Object -First 1
    if ($proc) {
        $result = [ProcessAccess]::TryOpen($proc.Id)
        Write-Ok "OpenProcess($procName PID $($proc.Id), PROCESS_ALL_ACCESS): $result"
        Write-Ok "Sysmon EID 10 generated (access logged regardless of grant/deny)"
        $found = $true
        break
    }
}
if (-not $found) {
    Write-Warn "No security process found running. Sysmon EID 10 not generated for this step."
    Write-Warn "Ensure Windows Defender (MsMpEng.exe) is running, or run on a host with EDR."
}

Start-Sleep -Milliseconds 500

if (-not $SkipServiceStop) {
    Write-Step "Step 2/3 — Stopping and disabling WinDefend service (sc.exe)"
    Write-Verbose "  Process: sc.exe — same tool used by all major ransomware operators"
    Write-Warn "Attempting to stop WinDefend. Use -SkipServiceStop to skip."
    Write-Warn "Re-enable after testing: sc start WinDefend"

    # Stop
    $stopResult = sc.exe stop WinDefend 2>&1
    Write-Ok "sc stop WinDefend: $stopResult"

    Start-Sleep -Milliseconds 500

    # Disable (generates EID 7040 - start type change)
    $disableResult = sc.exe config WinDefend start= disabled 2>&1
    Write-Ok "sc config WinDefend start=disabled: $disableResult"

    Start-Sleep -Milliseconds 500

    # Re-enable immediately (lab safety)
    sc.exe config WinDefend start= auto 2>&1 | Out-Null
    sc.exe start WinDefend 2>&1 | Out-Null
    Write-Ok "WinDefend re-enabled (start=auto, service restarted)"
} else {
    Write-Warn "Step 2 skipped (-SkipServiceStop)"
    Write-Warn "To test Hunt/Analyst rules without modifying Defender, check existing EID 7036 logs."
}

Start-Sleep -Milliseconds 300

Write-Step "Step 3/3 — Installing test service to simulate driver load telemetry"
Write-Verbose "  Note: EID 6 requires an actual kernel driver (.sys) with NtLoadDriver"
Write-Verbose "  This step generates the SCM service install event without loading kernel code"
Write-Warn "For EID 6 (actual driver load), use a signed test driver in an isolated VM."
Write-Warn "See: https://github.com/fengjixuchui/TestKrnlDrv for safe test drivers"

if ($isAdmin) {
    # Create a harmless service pointing to a non-existent driver path
    # This generates WEL 7045 (Service Installed) without actually loading a driver
    $svcResult = sc.exe create EDRBypassTestSvc `
        binPath= "C:\Windows\Temp\testdrv_emulation.sys" `
        type= kernel start= demand displayname= "EDR Bypass Test Service" 2>&1
    Write-Ok "sc create EDRBypassTestSvc (kernel type): $svcResult"
    Write-Ok "WEL 7045 (Service Installed, type=kernel) generated — Research rule context"

    # Clean up immediately
    sc.exe delete EDRBypassTestSvc 2>&1 | Out-Null
    Write-Ok "Test service removed"
} else {
    Write-Warn "Step 3 skipped — Administrator required for service creation"
}

Write-Host ""
Write-Host "=== Emulation Complete ===" -ForegroundColor Magenta
Write-Host ""
Write-Host "Expected detections:" -ForegroundColor White
Write-Host "  [Research]  Sysmon EID 6 (driver load) — requires real .sys; WEL 7045 as proxy" -ForegroundColor DarkCyan
Write-Host "  [Hunt]      Sysmon EID 10 (security process handle) + service/driver activity"   -ForegroundColor DarkYellow
Write-Host "  [Analyst]   EID 10 + WEL 7036 (service stopped) + WEL 7040 (start type changed)" -ForegroundColor DarkGreen
Write-Host ""
Write-Host "For full EID 6 fidelity:" -ForegroundColor DarkGray
Write-Host "  1. Use an isolated VM with a test-signed kernel driver"
Write-Host "  2. sc create <svc> binPath=<driver.sys> type=kernel"
Write-Host "  3. sc start <svc>  (generates Sysmon EID 6)"
Write-Host "  4. Follow immediately with sc stop <security-service> for full Hunt/Analyst chain"
Write-Host ""