jthuraisamy / TelemetrySourcerer

Enumerate and disable common sources of telemetry used by AV/EDR.
Apache License 2.0
770 stars 123 forks source link
av edr evasion security-tools

Telemetry Sourcerer

Introduction

Telemetry Sourcerer can enumerate and disable common sources of telemetry used by AV/EDR on Windows.

Red teamers and security enthusiasts can use this tool in a lab environment to:

For details on building a private lab, consider reading my post on Diverting EDR Telemetry to Private Infrastructure.

OPSEC WARNING: Although it's possible to use this in targeted environments, there are OPSEC risks when using any offensive security tool as is. You can instead leverage the code from this project into your own tooling for operational use and combine with other techniques to reduce the footprint it creates.

Features

Screenshots





Usage Instructions

  1. Download the latest release.
  2. Extract files.
  3. Launch the executable (run elevated for kernel-mode callbacks or more ETW sessions).

Kernel-mode Callbacks

To view kernel-mode callbacks, the tool needs to be run with elevated privileges to load a driver. The driver does not come signed, so consider enabling test signing mode, temporarily disabling driver signature enforcement (DSE), or signing the driver with a valid certificate:

Test Signing Mode

  1. Disable BitLocker and Secure Boot.
  2. Open an elevated Command Prompt window.
  3. Enter bcdedit.exe -set TESTSIGNING ON.
  4. Reboot system.
  5. Launch Telemetry Sourcerer with elevated privileges.

Disable DSE with KDU

  1. git clone https://github.com/hfiref0x/KDU.git
  2. Open an elevated Command Prompt window.
  3. Enter kdu -dse 0 to disable DSE.
  4. Launch Telemetry Sourcerer with elevated privileges.
  5. Enter kdu -dse 6 to enable DSE.

This option may be incompatible with KPP on Windows 8.1+.

Sign Driver

  1. Get SignTool from the Windows SDK and an appropriate cross-certificate from Microsoft Docs.
  2. signtool sign /a /ac "cross-cert.cer" /f "cert.pfx" /p "password" TelemetrySourcererDriver.sys
  3. Launch Telemetry Sourcerer with elevated privileges.

Caveats and Limitations

Credits

This tool was developed by @Jackson_T but builds upon the work of others:

Related Articles and Projects

Licence

This project is licensed under the Apache License 2.0.