EDRChoker Tool Disrupts Endpoint Detection Using Windows QoS Policies
Severity: Medium (Score: 48.9)
Sources: Cybersecuritynews, Gbhackers
Published: · Updated:
Keywords: edrchoker, tool, endpoint, newly, novel, detection, response
Summary
The EDRChoker tool, recently released as an open-source red team utility, disrupts Endpoint Detection and Response (EDR) systems by manipulating Windows' Policy-Based Quality of Service (QoS) settings. This innovative method reduces network bandwidth to near-zero, effectively silencing EDR agents without traditional evasion techniques like process termination or code injection. Developed by security researcher @TwoSevenOneT, EDRChoker poses a significant threat to organizations relying on cloud-connected EDR solutions. The tool's unique approach is gaining attention in the cybersecurity community, highlighting the need for enhanced defenses against such tactics. Currently, there are no specific CVEs associated with this tool, but its implications for endpoint security are considerable. Key Points: • EDRChoker disrupts EDR systems by choking network bandwidth using Windows QoS. • The tool is open-source and developed by researcher @TwoSevenOneT. • Organizations using cloud-connected EDR solutions are particularly vulnerable.
Detailed Analysis
**Impact** Organizations using cloud-connected Endpoint Detection and Response (EDR) solutions on Windows systems are affected by this technique. The tool can severely degrade EDR network communication, potentially leading to blind spots in endpoint security monitoring. No specific sectors, geographies, or data loss incidents are detailed in the articles. **Technical Details** EDRChoker leverages Windows Policy-Based Quality of Service (QoS) settings to throttle network bandwidth of EDR agents to near zero, disrupting their telemetry without terminating processes or injecting code. This method differs from traditional evasion techniques such as firewall or Windows Filtering Platform (WFP) rule manipulation. No CVEs or specific infrastructure details are provided. The tool is used during the reconnaissance or lateral movement phases to reduce endpoint visibility. **Recommended Response** Defenders should monitor and audit Windows QoS policy configurations for unauthorized changes affecting EDR agent traffic. Endpoint security teams should validate that EDR network communications are operating within expected parameters. No patches or specific signatures are currently available; focus on detecting anomalous QoS policy modifications and unusual network throttling behavior.
Source articles (2)
- New EDRChoker Tool Uses Policy — Cybersecuritynews · 2026-06-07
A newly released open-source red team tool called EDRChoker introduces a novel technique for silencing cloud-connected Endpoint Detection and Response (EDR) agents not by killing their processes or in… - EDRChoker Tool Abuses Windows QoS Policies to Disrupt Endpoint Security Tools — Gbhackers · 2026-06-08
A newly disclosed red-team tool dubbed “EDRChoker” is drawing attention across the cybersecurity community for its novel approach to disrupting Endpoint Detection and Response (EDR) visibility by abus…
Timeline
- 2026-06-07 — EDRChoker tool released: The open-source tool EDRChoker was introduced, utilizing Windows QoS to disrupt EDR visibility.
- 2026-06-08 — EDRChoker gains attention: The cybersecurity community is alerted to EDRChoker's novel approach to EDR disruption, emphasizing its potential impact.