Master of Puppets Part II - How to tamper the edr?

A talk about strategies how to tamper edr products under Windows. Also as administrator it isn't always as easy to find a way to bypass good edr products. For example, you were able to comprise your first host in the target network and you also where able to escalate to a local admin. On the host you see, that there are open high integrity processes from an domain admin and you want to steal the token of the da or dump the lsass process. But also as admin you are note allowed to disable the edr because it is password protected. Instead of bypassing the edr we try to find a more or less general path to tamper edr products in user space and kernel space, that we as red teamers are able to avoid prevention, detection, telemtry collection by the edr, host isolation by the edr and edr repairing of a partly tampered edr system. To learn about the strategies we have a closer look at the different components from edr products in user space and kernel space under Windows. We try step by step to understand the relationship between the differente components (processes, services, reg keys, callbacks, drivers etc.) and by that we try to find a way to completely disable an edr product by tampering necessary components from the edr.