Enumerate and disable common sources of telemetry used by AV/EDR.
Telemetry Sourcerer can enumerate and disable common sources of telemetry used by AV/EDR on Windows.
Red teamers and security enthusiasts can use this tool in a lab environment to:
For details on building a private lab, consider reading my post on Diverting EDR Telemetry to Private Infrastructure.
OPSEC WARNING: Although it's possible to use this in targeted environments, there are OPSEC risks when using any offensive security tool as is. You can instead leverage the code from this project into your own tooling for operational use and combine with other techniques to reduce the footprint it creates.
To view kernel-mode callbacks, the tool needs to be run with elevated privileges to load a driver. The driver does not come signed, so consider enabling test signing mode, temporarily disabling driver signature enforcement (DSE), or signing the driver with a valid certificate:
bcdedit.exe -set TESTSIGNING ON.
git clone https://github.com/hfiref0x/KDU.git
kdu -dse 0to disable DSE.
kdu -dse 6to enable DSE.
signtool sign /a /ac "cross-cert.cer" /f "cert.pfx" /p "password" TelemetrySourcererDriver.sys
This tool was developed by @Jackson_T but builds upon the work of others:
This project is licensed under the Apache License 2.0.