EDRChoker Tool Silences Endpoint Security Agents by Throttling Network Bandwidth
A new open-source tool, EDRChoker, exploits Windows' native Quality of Service engine to starve Endpoint Detection and Response agents of network bandwidth, rendering them ineffective.
A novel open-source tool named EDRChoker has emerged, offering red teams a sophisticated method to disable Endpoint Detection and Response (EDR) agents without resorting to traditional process termination or code injection. Developed by security researcher @TwoSevenOneT, EDRChoker leverages Windows' built-in Policy-Based Quality of Service (QoS) engine to drastically throttle the network bandwidth allocated to EDR processes, effectively choking them to near-zero. This technique aims to sever the critical communication link between the EDR agent on an endpoint and its cloud-based command and control infrastructure.
Modern EDR solutions rely heavily on a constant, low-latency connection for telemetry collection, threat analysis, and administrative oversight. By disrupting this connection, EDRChoker renders the agent dormant, preventing it from reporting new detections, receiving policy updates, or accepting commands from security administrators. This architectural dependency on network connectivity is the primary vulnerability exploited by the tool.
Historically, attackers have attempted to disrupt EDR communications using methods like Windows Defender Firewall rules or the Windows Filtering Platform (WFP) API. However, these approaches often leave detectable forensic traces, such as packet-block or packet-drop events, which can trigger alerts on security platforms. EDRChoker sidesteps these detection mechanisms by operating at a lower level within the network stack.
The core of EDRChoker's evasion lies in its exploitation of the pacer.sys driver, an NDIS Lightweight Filter Driver. This driver functions at the Network Driver Interface Specification (NDIS) boundary, directly above the physical network interface card. This position is significantly lower in the Windows network stack than the WFP, which operates within tcpip.sys at the transport layer. Because pacer.sys intercepts network traffic before it reaches the WFP monitoring points, rules enforced by QoS throttling are largely invisible to EDR tools that rely on WFP for visibility.
To achieve its goal, EDRChoker is designed to accept a list of EDR process names. It then dynamically generates unique QoS policies for each process, incorporating a random GUID into the policy name. This ensures that each deployment of the tool creates distinct rule signatures, making it harder for security solutions to create generic detection rules. The tool is available on GitHub and offers two primary modes: an 'Install' mode to create the throttling policies and a 'Remove' mode to cleanly uninstall them.
When EDRChoker throttles a process to a mere 8 bits per second, even basic network operations like a TLS handshake, which requires kilobytes of data for certificate exchange, become impossible. The EDR agent will continuously time out while attempting to establish a connection, generating connection-dropped errors rather than the more easily detectable firewall block events. This stealthy approach allows attackers to effectively neutralize endpoint security without raising immediate alarms.
The effectiveness of EDRChoker highlights a fundamental challenge in endpoint security: the reliance on network connectivity creates a single point of failure. As threat actors increasingly target lower network stack layers to evade detection, defenders must adapt by extending their monitoring capabilities deeper into the system to maintain visibility and ensure the continued efficacy of their security tools.