sbousseaden/edrunchoker — explained in plain English
Analysis updated 2026-05-18
Protect a Windows endpoint from having its security agent's network traffic silently throttled.
Log removed malicious QoS policies to the Windows event log for security monitoring tools.
Check whether the fileless defense is currently active and how many policies it is watching.
| sbousseaden/edrunchoker | zaxardery8011-design/soplint | zy-zmc/tianming-skill | |
|---|---|---|---|
| Stars | 35 | 39 | 27 |
| Language | PowerShell | PowerShell | PowerShell |
| Setup difficulty | moderate | moderate | hard |
| Complexity | 3/5 | 3/5 | 3/5 |
| Audience | ops devops | developer | writer |
Figures from each repo's GitHub metadata at analysis time.
Runs fileless via WMI subscriptions, the README recommends also monitoring with Sysmon to detect tampering.
EDRUnChoker is a PowerShell tool that defends against a specific type of attack on security software. The attack it counters, called EDRChoker, works by quietly throttling the network traffic of endpoint security agents down to nearly nothing. Endpoint security agents are programs that monitor a Windows machine for threats and report activity to a central security system. By choking their bandwidth, an attacker can make them effectively blind without visibly disabling them. The defense runs without writing any files to disk. It uses a Windows feature called WMI subscriptions to run a small embedded script every five seconds in the background. That script scans Windows network quality-of-service policies for any that look malicious: ones targeting known security products or capping bandwidth to 1 Mbps or less, which is far too low for any legitimate use. When it finds a bad policy, it removes it automatically. Three scripts ship with the project. One installs the defense, one uninstalls it, and one checks whether the defense is currently active and how many policies it is watching. Running the install and status scripts is the complete setup process. Every time the defense removes a malicious policy, it writes a warning event to the Windows Application event log under the source name EDRChokerDefense. Security teams can forward those events to tools like Splunk or Elastic Agent for an audit trail. The README lists four event IDs covering install, uninstall, policy removal, and remediation failures. The README also warns that attackers may try to delete or modify the WMI objects that power this defense. It recommends monitoring for those changes using Sysmon, a free Microsoft utility, and running periodic checks to confirm the defense is still in place.
A PowerShell defense tool that detects and removes malicious network throttling policies used to blind endpoint security agents.
Mainly PowerShell. The stack also includes PowerShell, WMI.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.