Exploiting Quality of Service: A Deep Dive into the EDRChoker Evasion Technique

A sophisticated new red-teaming utility, dubbed “EDRChoker,” is currently surfacing within the cybersecurity research community. The tool demonstrates a highly creative method for neutralizing Endpoint Detection and Response (EDR) visibility by abusing legitimate Windows Quality of Service (QoS) policies.

While traditional evasion strategies often focus on firewall manipulation or injecting rules into the Windows Filtering Platform (WFP), EDRChoker operates much deeper in the Windows networking stack. Rather than attempting to “kill” a process or “block” a port—actions that trigger immediate high-fidelity alerts—it uses bandwidth throttling to effectively starve the EDR agent of the throughput required to transmit telemetry.

Modern EDR efficacy is fundamentally tied to the continuous “heartbeat” and telemetry stream between the local agent and the cloud-based management console. If an attacker can disrupt this persistent communication, the endpoint becomes a dark zone, preventing the security team from receiving alerts or executing remote response actions.

Historically, red teamers have used FwpmFilterAdd0 calls or Windows Defender Firewall rules to sever these connections. However, these methods are increasingly “noisy.” Modern detection engines, such as Elastic Defend, are specifically tuned to monitor for packet-drop events and unauthorized WFP filter injections.

EDRChoker sidesteps these detections by utilizing the Windows QoS policy framework to impose extreme bandwidth constraints on specific processes, as detailed in a recent report by Zero Salarium. By throttling a process down to as little as 8 bits per second, the connection is not “blocked” in a traditional sense, but it becomes functionally useless.

The technical nuance here lies in the failure of the TLS handshake. A standard encrypted handshake requires several kilobytes of data to exchange certificates and negotiate cryptographic parameters. When the available bandwidth is throttled to sub-kilobyte levels, these handshakes inevitably time out. To a monitoring system, this looks like a flaky, unstable network connection rather than a malicious intervention.

The engine behind this maneuver is the pacer.sys driver (the QoS Packet Scheduler), which operates at the Network Driver Interface Specification (NDIS) level. Because NDIS sits closer to the Network Interface Card (NIC) than the WFP, it can enforce traffic shaping after higher-level filtering has already occurred. This bypasses most EDR hooks, which typically focus on higher-layer application or filter platform activities.

Key Operational Characteristics:

• Automation: The tool accepts a list of EDR process names and applies unique QoS policies to each via native PowerShell/Group Policy mechanisms.
• Persistence: Because these are legitimate Windows policies, the throttling persists even after a system reboot.
• Obfuscation: Policies are identified using randomized GUID-based names, making it difficult for administrators to correlate the rules with malicious activity.
• Dual-Mode Execution: It features an “installation” mode for applying the choke and a “removal” mode to clean up rules, facilitating a professional red-team lifecycle.

Note: Because QoS policy modification is a privileged operation, this technique requires administrative or SYSTEM-level access, making robust privilege management a critical first line of defense.

Defensive Recommendations

EDRChoker highlights a critical visibility gap: most security products monitor what the network blocks, but few monitor how the network is shaped. To defend against this, security operations teams should:

1. Audit QoS Configurations: Regularly review active QoS policies on critical endpoints using Get-NetQosPolicy.
2. Monitor PowerShell Activity: Watch for suspicious use of the New-NetQosPolicy cmdlet, especially when targeting known security binaries.
3. Log Policy Changes: Enable enhanced Windows Event Logging to capture the creation of new network policies.
4. Focus on Privilege Escalation: Since this attack requires high-level permissions, detecting the initial leap to administrative access remains the most effective way to prevent this technique from being deployed.

Ultimately, EDRChoker represents a shift in adversary tradecraft: moving away from overt destruction and toward subtle, systemic degradation. As attackers continue to exploit the “grey areas” of legitimate OS functionality, defenders must extend their visibility into lower-level drivers like pacer.sys.