MCPcopy Create free account
hub / github.com/arosenmund/defcon33_silence_kill_edr

github.com/arosenmund/defcon33_silence_kill_edr @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
78 symbols 166 edges 24 files 11 documented · 14% updated 10mo ago★ 345

Browse by type

Functions 76 Types & classes 2
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

🛡️ DEFCON Workshop: Putting EDRs in Their Place

💀 Killing and Silencing EDR Agents Like an Adversary

banner

🎯 What You’ll Do

Each student will be provisioned their own lab environment to: - 🔍 Investigate a live EDR agent: discover its hooks, logs, and reach - ⚔️ Compile & deploy EDR killers used by known threat groups - 🔕 Silence the agent-to-tenant communication path (shhh...) - 🧠 Reverse engineer tool behaviors in real time - 🛠️ Write custom C/C++ code to replicate evasion techniques - 🧬 Build your own EDR killer and silencer—like a boss

👨‍💻 Format

✔️ Hands-on labs in your own hosted VM
✔️ Pre-loaded tools, samples, and EDR emulator
✔️ Instructor-led reverse engineering and live coding
✔️ No filler. Just killin’.

💻 Requirements

Make sure you're ready to go with: - ✅ A modern browser (for the hosted lab) - ✅ Some knowledge of C/C++ (or willingness to jump in) - ✅ Passion for pain, pointers, and patchless pwnage

🛠️ Tools & Techniques Covered

Category Topics Covered
🧬 Evasion Inline hooking, API tracing, userland stealth
🪓 EDR Kill Chains Process injection, thread hijacking, process tampering
🛡️ Silencing Agents Blocking telemetry, stalling callbacks, tenant comms kill
🧱 BYOVD Custom driver loading, kernel tampering, stealth access
🔬 RE + Dev Dissecting EDR binaries, writing your own bypass toolsets

I. 👋 Introduction (10 min) — Ryan & Aaron

  • Welcome and introductions
  • Workshop overview:
  • 🔍 Our focus: EDR killing vs. silencing — what’s the difference, who uses these tactics, and why?
  • 🧰 Tools & techniques preview
  • 🧪 Structure:
    • Use and analyze real-world tools
    • Write your own weaponized versions
  • 👑 Ground rules:
  • Participate, ask questions, stay respectful, share thoughts!

II. 🧱 Environment Setup (25 min) — Aaron

Goal: Get your personal lab ready for action.

  • 🔗 GitHub lab instructions
  • 🧪 Pluralsight Lab: Setup free accounts
  • ✅ Verify lab access
  • 🛠️ Troubleshooting help if needed

III. 🧠 Introduction to OpenEDR (40 min) — Ryan

Goal: Understand the EDR we’ll be targeting.

  • What is OpenEDR? Why it was selected? Alternatives?
  • 🧬 OpenEDR internals:
  • Logging behavior
  • Detection capabilities
  • 🧪 Run some commands → Analyze logs

IV. 💣 EDR Killing with EDRSandBlast (20 min) — Ryan

Goal: Use a real-world EDR killer tool seen in ransomware campaigns.

  • Overview of EDRSandBlast
  • 👨‍💻 Code walkthrough in Visual Studio
  • 🔨 Build it
  • 🚀 Execute it:
  • Run post-exploit commands → verify nothing is logged
  • 🩹 Disable EDRSandBlast → see logs come back online

V. 🕶️ EDR Silencing Methods (25 min) — Ryan

Goal: Disable EDR telemetry without killing the agent.

  • 📡 Silencing techniques:
  • Add-DnsClientNrptRule
  • GenericDNSServers registry key
  • (If time) PendingFileRenameOperations
  • ✅ Verify agent stays "alive" but blind

☕ BREAK (15 min)

Take a breather. Stretch. Reflect on what you’ve just done to that poor EDR.


VI. 🔧 Writing an EDR Killer (45 min) — Aaron

Goal: Create your own killer using BYOVD (Bring Your Own Vulnerable Driver)

  • 🔍 Walkthrough:
  • Analyze & edit pre-provided code snippets
  • Live code augmentation
  • Compile & test
  • 💀 Use custom code to destroy OpenEDR
  • 🔬 Discussion:
  • Readily-available tools vs. DIY bypasses

VII. 🤫 Writing an EDR Silencer (45 min) — Aaron

Goal: Quiet the EDR via code — not commands.

  • 🧠 Strategy:
  • Use API calls to avoid detection
  • Replace LOLBins with low-noise native methods
  • 🛠️ Live lab:
  • Modify and compile silencer code
  • Test against OpenEDR agent
  • 🧩 Takeaways:
  • Code-level silencing = longer dwell time

VIII. 🎤 Wrap-Up (15 min) — Aaron

  • 💬 Open discussion & Q&A
  • 🧭 What’s next for Aaron & Ryan
  • 👋 Goodbyes & DEFCON love
  • 💀 #RansomwareSucks stickers and war stories encouraged

Core symbols most depended-on inside this repo

Shape

Function 76
Class 2

Languages

C++74%
Go26%

Modules by API surface

2-custom-edr-evasion/2-Custom-API/c++/unload-dlls.cpp10 symbols
2-custom-edr-evasion/1-Custom-BYOD/driver-dumper/main.cpp10 symbols
2-custom-edr-evasion/2-Custom-API/golang/catwatch.go9 symbols
2-custom-edr-evasion/2-Custom-API/c++/detect-att.cpp6 symbols
2-custom-edr-evasion/2-Custom-API/c++/detect-hooks-dlls.cpp5 symbols
2-custom-edr-evasion/1-Custom-BYOD/nikito/dump-that-lsass-nikito.cpp5 symbols
2-custom-edr-evasion/1-Custom-BYOD/dump-that-lsass.cpp5 symbols
2-custom-edr-evasion/2-Custom-API/golang/snuff-traffic.go4 symbols
2-custom-edr-evasion/2-Custom-API/c++/unhooker.cpp4 symbols
2-custom-edr-evasion/1-Custom-BYOD/driver-dumper/offset-calc/offset-calc.cpp4 symbols
2-custom-edr-evasion/1-Custom-BYOD/driver_loader.cpp3 symbols
2-custom-edr-evasion/2-Custom-API/golang/re-route.go2 symbols

For agents

$ claude mcp add defcon33_silence_kill_edr \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page