redttps

Free antivirus to kill EDRs

Description

It appears that some endpoint security solutions can be leveraged to disable other endpoint detection and response (EDR) products without generating any alerts, even when using a free trial environment


Steps

  1. Go to https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/free-trial.html?utm_content=amp-free-trial and register for a free trial
  2. Install the agent on your target machine (requires local admin)
  3. In the console, navigate to Management > Policies
  4. Search for "Protect", and click the one for Windows
  5. Select the "Exclusions" tab, and remove all of them
  6. Next, identify the SHA256 of the EDR process you are targeting either on the host or through the Cisco console
  7. Navigate to "Outbreak Control" > "Blocked Application"
  8. Click edit on the "Blocked Application List"
  9. Enter the SHA256, and click "Add"

Reference: https://github.com/CroodSolutions/AutoRMM/tree/main/-%20EDR-on-EDR%20Violence