Putting EDRs in Their Place: Killing and Silencing EDR Agents

Presented at DEF CON 33 (2025), Aug. 9, 2025, 2 p.m. (240 minutes).

Many cybercime and APT actors kill and/or silence EDR agents in order to evade detection, allowing them to achieve their actions on objectives without notifying security teams. How do they do it? What tools do they use? How do they write those tools? What is BYOVD? If you’re interested in learning how adversaries bypass EDR platforms, this workshop is for YOU! Every student who attends this workshop will have a personal lab environment generated for them. Using the online lab environment, students will review a live EDR tool in order to become familiar with its capabilities, logging, and more. Students will then compile and run an EDR killer used commonly by major threat groups. Next, students will execute commands to silence agent-to-tenant communication, thereby negating notification to security teams. Following the building, use, and analysis of readily-available tools, students will learn how to write their own code to achieve similar means. We will be using a combination of pre-provided code snippets and code we write in real-time in order to both kill and silence the provided EDR agent. Are you ready to take your reverse engineering and coding skills to the next levels? – Let’s do this! And remember: #RansomwareSucks!

Presenters:

• Ryan "rj_chap" Chapman - Author & Instructor at SANS Institute
  Ryan Chapman is the author of SANS’ “FOR528: Ransomware and Cyber Extortion” course, teaches SANS’ “FOR610: Reverse Engineering Malware” course, works as a threat hunter @ $dayJob, and is an author for Pluralsight. Ryan has a passion for life-long learning, loves to teach people about ransomware-related attacks, and enjoys pulling apart malware. He has presented workshops at DefCon and other conferences in the past and knows how to create a step-by-step instruction set to maximize hands-on learning.
• Aaron "ironcat" Rosenmund - Managing Director of Tradecraft and Programs at OnDefend
  Aaron Rosenmund is an accomplished cybersecurity professional with extensive experience in various leadership roles across multiple organizations. Currently serving as the Managing Director of Tradecraft and Programs at OnDefend since September 2024, Aaron also holds a position at the National Guard Bureau as Staff Lead for the Cyber Shield Red Team, demonstrating a commitment to enhancing cybersecurity defenses. With a background that includes significant roles at Pluralsight, where responsibilities spanned content strategy and security skills development, and the Florida Air National Guard as a Lead Cyber Operator focused on defensive operations, Aaron has developed a comprehensive skill set in threat emulation, cyber system operations, and training. Additionally, past leadership positions as CEO at Aestus Industries and Vice President at Concrete Surface Innovations underscore strong management capabilities and operational expertise. Aaron holds multiple degrees in technology and cybersecurity from respected institutions, underscoring a solid educational foundation in this field.

Similar Presentations:

• HushCon East 2023 / Using WSL 2 to Hide from EDR
• DEF CON 30 (2022) / EDR detection mechanisms and bypass techniques with EDRSandBlast Demo
• DEF CON 31 (2023) / Malware development on secured environment - Write, adapt, overcome Workshop