There are 2 main methods for bypassing an EDR:
Removing the DLL hooks Removing the kernel callbacks
In this post, I’ll cover removing the kernel callbacks using a malicious driver.
Requirements for removing kernel callbacks
According to the blog, there are 2 options for removing the kernel callbacks:
1. Using Windows Kernel Debugger
Apparently, using this option is not ideal from an OPSEC perspective. The existence or use of Windows Kernel Debugger would be a high fidelity alert unless a r…