Wednesday, October 27, 2021

Detecting EDR Bypass: Malicious Drivers(Kernel Callbacks)

There are 2 main methods for bypassing an EDR:

Removing the DLL hooks Removing the kernel callbacks

In this post, I’ll cover removing the kernel callbacks using a malicious driver.

Requirements for removing kernel callbacks

According to the blog, there are 2 options for removing the kernel callbacks:

1. Using Windows Kernel Debugger

Apparently, using this option is not ideal from an OPSEC perspective. The existence or use of Windows Kernel Debugger would be a high fidelity alert unless a r…

Read More

Latest news
Related news