remove AV/EDR with physical access.
tl;dr: unprivileged user -> Defender removal on physical machine.

With a precision of a brain surgeon wielding a chainsaw, nifo can obliterate most AV/EDR products from endpoints or servers running the worlds most popular operating system, even if they're BitLocker protected - if you have physical access to the device and it's not totally locked down (BIOS password + SecureBoot + Harddrive Password + No USB Boot).

Tools for analyzing EDR agents.

• EDR Internals for macOS and Linux @ Outflank.

Live hunting of code injection techniques.

Memhunter is an endpoint sensor tool that is specialized in detecing resident malware, improving the threat hunter analysis process and remediation times. The tool detects and reports memory-resident malware living on endpoint processes. Memhunter detects known malicious memory injection techniques. The detection process is performed through live analysis and without needing memory dumps. The tool was designed as a replacement of memory forensic volatility plugins such as malfind and hollowfind. The idea of not requiring memory dumps helps on performing the memory resident malware threat hunting at scale, without manual analysis, and without the complex infrastructure needed to move dumps to forensic environments.

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Notify Routine callbacks, Object Callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

As of release, combination of userland (--usermode) and Kernel-land (--kernelmode) techniques were used to dump LSASS memory under EDR scrutiny, without being blocked nor generating "OS Credential Dumping"-related events in the product (cloud) console. The tests were performed on 3 distinct EDR products and were successful in each case.