Using Minifilters to Disable EDR Systems - A Kernel-Based Attack Technique

Watch a 40-minute Security BSides London conference talk exploring advanced offensive security techniques using minifilters to bypass and disable Endpoint Detection and Response (EDR) systems. Learn about EDR architecture fundamentals and components before diving into common minifilter abuse methods for evading file system monitoring. Discover a novel technique for completely disabling EDR agents by preventing access to critical resources through PreOperation callback registration, including detailed kernel-level concepts and implementation steps. Compare the effectiveness of different minifilter exploitation approaches for concealing malicious activities and indicators of compromise. Examine defensive strategies, potential countermeasures, and methods for detecting and mitigating minifilter-based attacks. Conclude with key insights into this sophisticated offensive security approach and participate in an interactive Q&A discussion.