EDR-on-EDR Violence 1/🧵 Will called out that EDR products were being abused by threat actors. Ezra Woods & I realized a free trial of an attacker controlled EDR can be used to kill the existing EDR. spencer mRr3b00t JS0N Haddix github.com/CroodSolutions…

Agreed! The testing we did was for base installations with all pre-defined/built-in rules enabled for the products that have them. This is something people should implement if they haven't already, but I think it's a low bar to expect vendors to implement this by default.

🟣 In this week’s Weekly Purple Team episode, threat actors are flipping the script—using EDR tools against defenders. Yep, it’s EDR on EDR violence. Learn how they’re doing it & how to fight back: youtu.be/CbD8b3h4me4 Based on Research By Mike Manrod Will

The work of @bohop, Nathan McNulty, & Bobby Cooke had us considering this problem more deeply (w/ Ezra Woods). Why is app control not taken more seriously, when we know EDR will always fail eventually when evasive tactics are used? github.com/CroodSolutions…

Anyone who knows me will have heard my sermon on OneStart/OneLaunch/Wave at some point. Very vindicating to see an excellent analysis that firmly places it over the PUP or Malware line. Read more here: gdatasoftware.com/blog/2025/08/3…