🦑Disabling EDRs by File Rename Junctions (Crowdstrike)

PendingFileRenameOperations allows applications to create file rename operations by creating a registry entry under the HKLM\SYSTEM\CurrentControlSet\Control\Session Manager. Initially I attempted to create this entry, pointing it towards the EDR binary as such in PowerShell, based on the StackOverflow thread.

➡️ Powershell start :

new-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "PendingFileRenameOperations" -Value $($((Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name PendingFileRenameOperations -ErrorAction SilentlyContinue).PendingFileRenameOperations) + "\??\C:\Program Files\<EDR_PATH>.exe`0`0") -type MultiString -Force | Out-Null

➡️ Powershell end.

⚠️ This works for AVs/EDRs without anti-tampering. Security products with anti-tampering can use [CmRegisterCallbackEx](https://lnkd.in/dmCGSwnX) to monitor and block registry operations from the kernel. A kernel driver could block registry keys from being created if they referenced their core services.

Using a reparse point (junction) - kudos again to sixtyvividtails - we can create a junction from: C:\program-files -> C:\Program Files\

And yet again we can create our PendingFileRenameOperations, pointing the key at the EDR binary pathed through our junction, something that most EDRs do not check. All of this of course requires Admin privileges. On the next reboot, any core EDR binaries will be renamed to "", in turn being deleted.

Ref: Simon Ngoy
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

⚠️ The Future of Enterprise #AI: Navigating Risks with #Cisco #AI Defense

https://undercodenews.com/the-future-of-enterprise-ai-navigating-risks-with-cisco-ai-defense/

@Undercode_News

The Rising Tide of #Crypto Crime: How Cybercriminals Stole 1 Billion in 2024

https://undercodenews.com/the-rising-tide-of-crypto-crime-how-cybercriminals-stole-1-billion-in-2024/

@Undercode_News

📊 #Nvidia to Build One of Israel’s Largest #AI Data Centers: A Game-Changer for #AI Innovation

https://undercodenews.com/nvidia-to-build-one-of-israels-largest-ai-data-centers-a-game-changer-for-ai-innovation/

@Undercode_News

Bridging the Gender Pay Gap in Israeli High-Tech: A Call for Equality

https://undercodenews.com/bridging-the-gender-pay-gap-in-israeli-high-tech-a-call-for-equality/

@Undercode_News

☁️ The Future of Computing: Why Edge Computing is Taking Center Stage

https://undercodenews.com/the-future-of-computing-why-edge-computing-is-taking-center-stage/

@Undercode_News

🛡️ Qbiq Secures 6M Series A Funding to Revolutionize Architectural Planning with #AI

https://undercodenews.com/qbiq-secures-6m-series-a-funding-to-revolutionize-architectural-planning-with-ai/

@Undercode_News

⚠️ Momentick Secures Million to Revolutionize Insurance with Emissions Risk Management

https://undercodenews.com/momentick-secures-million-to-revolutionize-insurance-with-emissions-risk-management/

@Undercode_News

🛡️ Israel Races to Secure #AI Chips Ahead of US Export Restrictions

https://undercodenews.com/israel-races-to-secure-ai-chips-ahead-of-us-export-restrictions/

@Undercode_News

Israel’s #AI Revolution: How the Startup Nation is Poised to Lead the Next Tech Wave

https://undercodenews.com/israels-ai-revolution-how-the-startup-nation-is-poised-to-lead-the-next-tech-wave/

@Undercode_News

Israel’s Deep Tech Boom: A Global Magnet for Innovation and Investment

https://undercodenews.com/israels-deep-tech-boom-a-global-magnet-for-innovation-and-investment/

@Undercode_News

⚡️ #Windows 10 #Update KB5048239 Stuck in Installation Loop? Here’s What Happened and How #Microsoft Fixed It

https://undercodenews.com/windows-10-update-kb5048239-stuck-in-installation-loop-heres-what-happened-and-how-microsoft-fixed-it/

@Undercode_News

⚡️ Japan’s New Supercomputer Miyabi Revolutionizes Disaster Prediction and Scientific Research

https://undercodenews.com/japans-new-supercomputer-miyabi-revolutionizes-disaster-prediction-and-scientific-research/

@Undercode_News

💳 #Intel Spins Off Venture Capital Arm Amid Financial Struggles

https://undercodenews.com/intel-spins-off-venture-capital-arm-amid-financial-struggles/

@Undercode_News

⚡️ #TikTok Faces Immediate Shutdown in the US if New Regulation Law Takes Effect

https://undercodenews.com/tiktok-faces-immediate-shutdown-in-the-us-if-new-regulation-law-takes-effect/

@Undercode_News

Steve Jobs’ Spiritual Journey: A 00,000 Letter and a Dream Fulfilled

https://undercodenews.com/steve-jobs-spiritual-journey-a-00000-letter-and-a-dream-fulfilled/

@Undercode_News

Revolutionizing Eye Care: How Forus Health is Tackling India’s Vision Crisis with Innovation

https://undercodenews.com/revolutionizing-eye-care-how-forus-health-is-tackling-indias-vision-crisis-with-innovation/

@Undercode_News

How a Voice Artist Turned a Spam Call into a Viral Comedy Sensation

https://undercodenews.com/how-a-voice-artist-turned-a-spam-call-into-a-viral-comedy-sensation/

@Undercode_News

📱 Navigating the Maha Kumbh Mela 2025: Esri India’s Innovative Web App Enhances Pilgrim Experience

https://undercodenews.com/navigating-the-maha-kumbh-mela-2025-esri-indias-innovative-web-app-enhances-pilgrim-experience/

@Undercode_News