whatisgithub

What is edrunchoker?

sbousseaden/edrunchoker — explained in plain English

Analysis updated 2026-05-18

35PowerShellAudience · ops devopsComplexity · 3/5Setup · moderate

In one sentence

A PowerShell defense tool that detects and removes malicious network throttling policies used to blind endpoint security agents.

Mindmap

mindmap
  root((EDRUnChoker))
    What it does
      Detects EDR throttling attacks
      Removes malicious QoS policies
      Runs fileless via WMI
    Tech stack
      PowerShell
      WMI subscriptions
      Windows event log
    Use cases
      Endpoint defense
      Security audit logging
      Status monitoring
    Audience
      Security engineers
      Windows administrators

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Protect a Windows endpoint from having its security agent's network traffic silently throttled.

USE CASE 2

Log removed malicious QoS policies to the Windows event log for security monitoring tools.

USE CASE 3

Check whether the fileless defense is currently active and how many policies it is watching.

What is it built with?

PowerShellWMI

How does it compare?

sbousseaden/edrunchokerzaxardery8011-design/soplintzy-zmc/tianming-skill
Stars353927
LanguagePowerShellPowerShellPowerShell
Setup difficultymoderatemoderatehard
Complexity3/53/53/5
Audienceops devopsdeveloperwriter

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Runs fileless via WMI subscriptions, the README recommends also monitoring with Sysmon to detect tampering.

So what is it?

EDRUnChoker is a PowerShell tool that defends against a specific type of attack on security software. The attack it counters, called EDRChoker, works by quietly throttling the network traffic of endpoint security agents down to nearly nothing. Endpoint security agents are programs that monitor a Windows machine for threats and report activity to a central security system. By choking their bandwidth, an attacker can make them effectively blind without visibly disabling them. The defense runs without writing any files to disk. It uses a Windows feature called WMI subscriptions to run a small embedded script every five seconds in the background. That script scans Windows network quality-of-service policies for any that look malicious: ones targeting known security products or capping bandwidth to 1 Mbps or less, which is far too low for any legitimate use. When it finds a bad policy, it removes it automatically. Three scripts ship with the project. One installs the defense, one uninstalls it, and one checks whether the defense is currently active and how many policies it is watching. Running the install and status scripts is the complete setup process. Every time the defense removes a malicious policy, it writes a warning event to the Windows Application event log under the source name EDRChokerDefense. Security teams can forward those events to tools like Splunk or Elastic Agent for an audit trail. The README lists four event IDs covering install, uninstall, policy removal, and remediation failures. The README also warns that attackers may try to delete or modify the WMI objects that power this defense. It recommends monitoring for those changes using Sysmon, a free Microsoft utility, and running periodic checks to confirm the defense is still in place.

Copy-paste prompts

Prompt 1
Walk me through installing EDRUnChoker on a Windows endpoint.
Prompt 2
Explain how the EDRChoker attack throttles endpoint security agent traffic.
Prompt 3
Show me how EDRUnChoker's WMI subscription scans for malicious QoS policies.
Prompt 4
Help me forward EDRUnChoker's event log entries to Splunk or Elastic Agent.

Frequently asked questions

What is edrunchoker?

A PowerShell defense tool that detects and removes malicious network throttling policies used to blind endpoint security agents.

What language is edrunchoker written in?

Mainly PowerShell. The stack also includes PowerShell, WMI.

How hard is edrunchoker to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is edrunchoker for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.