Some new research has identified instances of deployed Endpoint Detection and Response (EDR) technologies being disabled and replaced by attacker-controlled EDR technologies (even with free trials). In at least some cases, this can even defeat Tamper Protection features. This shouldn't really trigger panic, as you need Local Admin rights to carry out this attack (and really all bets are off once an attacker has Local Admin), but this can be used to evade detection in ways that traditional EDR bypass attacks might not evade. There will be more to come from this research in the coming months I imagine, as the researchers are encouraging readers to test which EDRs can be defeated by which other EDRs. I think we could potentially see each EDR vendor eventually maintaining their own blocklists of competing EDRs, but given that most EDRs can operate in an active or a passive mode, this isn't straight-forward (and could be seen as an anti-competitive practice). Messy! I'll be watching this space.
EDR-on-EDR Violence: An Accidental Offshoot of our RMM Abuse Research (BYOEDR) | by Mike Manrod | Jul, 2025 | Medium
