FileRenameJunctionsEDRDisable
We can create our PendingFileRenameOperations, pointing the key at the #EDR binary pathed through our junction, something that most EDRs do not check. All of this of course requires Admin privileges. On the next reboot, any core EDR binaries will be renamed to "", in turn being deleted. This works for AVs/EDRs without anti-tampering.
#1N73LL1G3NC3
We can create our PendingFileRenameOperations, pointing the key at the #EDR binary pathed through our junction, something that most EDRs do not check. All of this of course requires Admin privileges. On the next reboot, any core EDR binaries will be renamed to "", in turn being deleted. This works for AVs/EDRs without anti-tampering.
#1N73LL1G3NC3