git404hub

what is edrunchoker fr?

sbousseaden/edrunchoker — explained in plain English

Analysis updated 2026-05-18

35PowerShellAudience · ops devopsComplexity · 3/5Setup · moderate

tl;dr

A PowerShell defense tool that detects and removes malicious network throttling policies used to blind endpoint security agents.

vibe map

mindmap
  root((EDRUnChoker))
    What it does
      Detects EDR throttling attacks
      Removes malicious QoS policies
      Runs fileless via WMI
    Tech stack
      PowerShell
      WMI subscriptions
      Windows event log
    Use cases
      Endpoint defense
      Security audit logging
      Status monitoring
    Audience
      Security engineers
      Windows administrators

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

what do people make with this?

VIBE 1

Protect a Windows endpoint from having its security agent's network traffic silently throttled.

VIBE 2

Log removed malicious QoS policies to the Windows event log for security monitoring tools.

VIBE 3

Check whether the fileless defense is currently active and how many policies it is watching.

what's the stack?

PowerShellWMI

how it stacks up fr

sbousseaden/edrunchokerwpeace-hch/wpegpt-analyzerrefrainwww/codex-windows-computer-use
Stars353631
LanguagePowerShellPowerShellPowerShell
Setup difficultymoderatehardmoderate
Complexity3/54/53/5
Audienceops devopsresearcherdeveloper

Figures from each repo's GitHub metadata at analysis time.

how do i run it?

Difficulty · moderate time til it works · 30min

Runs fileless via WMI subscriptions, the README recommends also monitoring with Sysmon to detect tampering.

in plain english

EDRUnChoker is a PowerShell tool that defends against a specific type of attack on security software. The attack it counters, called EDRChoker, works by quietly throttling the network traffic of endpoint security agents down to nearly nothing. Endpoint security agents are programs that monitor a Windows machine for threats and report activity to a central security system. By choking their bandwidth, an attacker can make them effectively blind without visibly disabling them. The defense runs without writing any files to disk. It uses a Windows feature called WMI subscriptions to run a small embedded script every five seconds in the background. That script scans Windows network quality-of-service policies for any that look malicious: ones targeting known security products or capping bandwidth to 1 Mbps or less, which is far too low for any legitimate use. When it finds a bad policy, it removes it automatically. Three scripts ship with the project. One installs the defense, one uninstalls it, and one checks whether the defense is currently active and how many policies it is watching. Running the install and status scripts is the complete setup process. Every time the defense removes a malicious policy, it writes a warning event to the Windows Application event log under the source name EDRChokerDefense. Security teams can forward those events to tools like Splunk or Elastic Agent for an audit trail. The README lists four event IDs covering install, uninstall, policy removal, and remediation failures. The README also warns that attackers may try to delete or modify the WMI objects that power this defense. It recommends monitoring for those changes using Sysmon, a free Microsoft utility, and running periodic checks to confirm the defense is still in place.

prompts (copy fr)

prompt 1
Walk me through installing EDRUnChoker on a Windows endpoint.
prompt 2
Explain how the EDRChoker attack throttles endpoint security agent traffic.
prompt 3
Show me how EDRUnChoker's WMI subscription scans for malicious QoS policies.
prompt 4
Help me forward EDRUnChoker's event log entries to Splunk or Elastic Agent.

Frequently asked questions

what is edrunchoker fr?

A PowerShell defense tool that detects and removes malicious network throttling policies used to blind endpoint security agents.

What language is edrunchoker written in?

Mainly PowerShell. The stack also includes PowerShell, WMI.

How hard is edrunchoker to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is edrunchoker for?

Mainly ops devops.

peek the repo → explain another one

This repo across BitVibe Labs

double-check against the repo, no cap.