EDR-CALLBACK-REMOVEDefense Evasion

Kernel Callback Removal

After BYOVD admin, unlink PsSetCreateProcessNotifyRoutine / PsSetLoadImageNotifyRoutine entries for the EDR — process events stop firing.

§ Where this technique fits

EDR-CALLBACK-REMOVE is catalogued under the Defense Evasion tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 4 on average.

§ Dossiers chaining this technique

BYOVD → kernel-level disable of EDR callbacks
From local admin, load a signed-but-vulnerable driver. Use its kernel primitive to walk the EDR's PsSetCreateProcessNotifyRoutine entries and unlink them — EDR stops receiving events while still 'running'.
step 4 / 5

§ What commonly comes next

01
LSASS via procdump / comsvcs.dll
W-LSASS-PROCDUMP · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

BYOVD → kernel-level disable of EDR callbacks

§ What commonly comes next