Telemetry Sourcerer
Introduction
Telemetry Sourcerer can enumerate and disable common sources of telemetry used by AV/EDR on Windows.
Red teamers and security enthusiasts can use this tool in a lab environment to:
- Identify collection-based blind spots in the products they're up against.
- Determine which sources of telemetry generate particular types of events.
- Validate whether using the tool's tampering capabilities can lead to detection.
For details on building a private lab, consider reading my post on Diverting EDR Telemetry to Private Infrastructure.
OPSEC WARNING: Although it's possible to use this in targeted environments, there are OPSEC risks when using any offensive security tool as is. You can instead leverage the code from this project into your own tooling for operational use and combine with other techniques to reduce the footprint it creates.
Features
- Enumerates various kernel-mode callbacks with the ability to suppress them.
- Detects inline user-mode hooks within the process, with the ability to unhook them.
- Lists ETW sessions and providers while highlighting potentially relevant ones to disable.
Screenshots
Usage Instructions
- Download the latest release.
- Extract files.
- Launch the executable (run elevated for kernel-mode callbacks or more ETW sessions).
Kernel-mode Callbacks
To view kernel-mode callbacks, the tool needs to be run with elevated privileges to load a driver. The driver does not come signed, so consider enabling test signing mode, temporarily disabling driver signature enforcement (DSE), or signing the driver with a valid certificate:
Test Signing Mode
- Disable BitLocker and Secure Boot.
- Open an elevated Command Prompt window.
- Enter
bcdedit.exe -set TESTSIGNING ON
. - Reboot system.
- Launch Telemetry Sourcerer with elevated privileges.
KDU
Disable DSE withgit clone https://github.com/hfiref0x/KDU.git
- Open an elevated Command Prompt window.
- Enter
kdu -dse 0
to disable DSE. - Launch Telemetry Sourcerer with elevated privileges.
- Enter
kdu -dse 6
to enable DSE.
This option may be incompatible with KPP on Windows 8.1+.
Sign Driver
- Get SignTool from the Windows SDK and an appropriate cross-certificate from Microsoft Docs.
signtool sign /a /ac "cross-cert.cer" /f "cert.pfx" /p "password" TelemetrySourcererDriver.sys
- Launch Telemetry Sourcerer with elevated privileges.
Caveats and Limitations
- This tool is meant for research purposes only and is not OPSEC-safe for production use.
- Compiled with Visual Studio 2019 using the Windows 10 SDK (10.0.19041.0) and WDK (2004).
- Currently does not look for IAT/EAT user-mode hooks, or kernel-mode hooks.
- The driver has not been thoroughly tested for abuse cases.
- Tested on Windows 7 and 10 (x64) only.
Credits
This tool was developed by @Jackson_T but builds upon the work of others:
- @gentilkiwi and @fdiskyou for driver code that enumerates callback functions.
- @0x00dtm for the inline user-mode hook comparison logic.
Related Articles and Projects
- @matterpreter: Mimidrv In Depth: Exploring Mimikatzβs Kernel Driver
- @fdiskyou: Windows Kernel Ps Callbacks Experiments
- @matteomalvica: Silencing the EDR. How to disable process, threads and image-loading detection callbacks.
- @0x00dtm: Defeating Userland Hooks (ft. Bitdefender) (Code)
- @palantir: Tampering with Windows Event Tracing: Background, Offense, and Defense
Licence
This project is licensed under the Apache License 2.0.