{"id":18612718,"url":"https://github.com/jthuraisamy/telemetrysourcerer","last_synced_at":"2025-04-04T15:06:59.516Z","repository":{"id":39733688,"uuid":"283627093","full_name":"jthuraisamy/TelemetrySourcerer","owner":"jthuraisamy","description":"Enumerate and disable common sources of telemetry used by AV/EDR.","archived":false,"fork":false,"pushed_at":"2021-03-11T12:22:26.000Z","size":153,"stargazers_count":788,"open_issues_count":3,"forks_count":130,"subscribers_count":31,"default_branch":"master","last_synced_at":"2025-03-28T14:06:33.563Z","etag":null,"topics":["av","edr","evasion","security-tools"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jthuraisamy.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-07-30T00:01:03.000Z","updated_at":"2025-03-28T09:56:57.000Z","dependencies_parsed_at":"2022-07-14T08:17:15.209Z","dependency_job_id":null,"html_url":"https://github.com/jthuraisamy/TelemetrySourcerer","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jthuraisamy%2FTelemetrySourcerer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jthuraisamy%2FTelemetrySourcerer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jthuraisamy%2FTelemetrySourcerer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jthuraisamy%2FTelemetrySourcerer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jthuraisamy","download_url":"https://codeload.github.com/jthuraisamy/TelemetrySourcerer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247198449,"owners_count":20900079,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["av","edr","evasion","security-tools"],"created_at":"2024-11-07T03:18:19.611Z","updated_at":"2025-04-04T15:06:59.486Z","avatar_url":"https://github.com/jthuraisamy.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Telemetry Sourcerer\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://www.publicdomainpictures.net/pictures/180000/nahled/wizard-with-wand.jpg\" height=\"250\" /\u003e\n\u003c/p\u003e\n\n## Introduction\n\nTelemetry Sourcerer can enumerate and disable common sources of telemetry used by AV/EDR on Windows.\n\nRed teamers and security enthusiasts can use this tool in a lab environment to:\n\n- Identify collection-based blind spots in the products they're up against.\n- Determine which sources of telemetry generate particular types of events.\n- Validate whether using the tool's tampering capabilities can lead to detection.\n\nFor details on building a private lab, consider reading my post on [Diverting EDR Telemetry to Private Infrastructure](http://jackson-t.ca/edr-reversing-evading-03.html). \n\n\u003e **OPSEC WARNING**: Although it's possible to use this in targeted environments, there are OPSEC risks when using any offensive security tool _as is_. You can instead leverage the code from this project into your own tooling for operational use and combine with other techniques to reduce the footprint it creates.\n\n## Features\n\n- Enumerates various kernel-mode callbacks with the ability to suppress them.\n- Detects inline user-mode hooks within the process, with the ability to unhook them.\n- Lists ETW sessions and providers while highlighting potentially relevant ones to disable.\n\n## Screenshots\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://i.imgur.com/W6EODwb.png\" /\u003e\n  \u003cbr\u003e\u003cbr\u003e\n  \u003cimg src=\"https://i.imgur.com/WzjTNnP.png\" /\u003e\n  \u003cbr\u003e\u003cbr\u003e\n  \u003cimg src=\"https://i.imgur.com/dqwidfM.png\" /\u003e\n\u003c/p\u003e\n\n## Usage Instructions\n\n1. Download the [latest release](https://github.com/jthuraisamy/TelemetrySourcerer/releases).\n1. Extract files.\n1. Launch the executable (run elevated for kernel-mode callbacks or more ETW sessions).\n\n### Kernel-mode Callbacks\n\nTo view kernel-mode callbacks, the tool needs to be run with elevated privileges to load a driver. The driver does not come signed, so consider enabling test signing mode, temporarily disabling driver signature enforcement (DSE), or signing the driver with a valid certificate:\n\n#### Test Signing Mode\n\n1. Disable BitLocker and Secure Boot.\n1. Open an elevated Command Prompt window.\n1. Enter `bcdedit.exe -set TESTSIGNING ON`.\n1. Reboot system.\n1. Launch Telemetry Sourcerer with elevated privileges.\n\n#### Disable DSE with [KDU](https://github.com/hfiref0x/KDU)\n\n1. `git clone https://github.com/hfiref0x/KDU.git`\n1. Open an elevated Command Prompt window.\n1. Enter `kdu -dse 0` to disable DSE.\n1. Launch Telemetry Sourcerer with elevated privileges.\n1. Enter `kdu -dse 6` to enable DSE.\n\n\u003e This option may be [incompatible](https://github.com/hfiref0x/DSEFix#patchguard-incompatibility) with [KPP](https://en.wikipedia.org/wiki/Kernel_Patch_Protection) on Windows 8.1+.\n\n#### Sign Driver\n\n1. Get [SignTool](https://docs.microsoft.com/en-us/windows/win32/seccrypto/signtool) from the Windows SDK and an appropriate [cross-certificate](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing) from Microsoft Docs.\n1. `signtool sign /a /ac \"cross-cert.cer\" /f \"cert.pfx\" /p \"password\" TelemetrySourcererDriver.sys` \n1. Launch Telemetry Sourcerer with elevated privileges.\n\n## Caveats and Limitations\n\n- This tool is meant for research purposes only and is not OPSEC-safe for production use.\n- Compiled with Visual Studio 2019 using the Windows 10 SDK (10.0.19041.0) and WDK (2004).\n- Currently does not look for IAT/EAT user-mode hooks, or kernel-mode hooks.\n- The driver has not been thoroughly tested for abuse cases.\n- Tested on Windows 7 and 10 (x64) only.\n\n## Credits\n\nThis tool was developed by [@Jackson_T](https://twitter.com/Jackson_T) but builds upon the work of others:\n\n- [@gentilkiwi](https://twitter.com/gentilkiwi) and [@fdiskyou](https://twitter.com/fdiskyou) for driver code that enumerates callback functions.\n- [@0x00dtm](https://twitter.com/0x00dtm) for the inline user-mode hook comparison logic.\n\n## Related Articles and Projects\n\n- [@matterpreter](https://twitter.com/matterpreter): [Mimidrv In Depth: Exploring Mimikatz’s Kernel Driver](https://posts.specterops.io/mimidrv-in-depth-4d273d19e148)\n- [@fdiskyou](https://twitter.com/fdiskyou): [Windows Kernel Ps Callbacks Experiments](http://deniable.org/windows/windows-callbacks)\n- [@matteomalvica](https://twitter.com/matteomalvica): [Silencing the EDR. How to disable process, threads and image-loading detection callbacks.](https://www.matteomalvica.com/blog/2020/07/15/silencing-the-edr/)\n- [@0x00dtm](https://twitter.com/0x00dtm): [Defeating Userland Hooks (ft. Bitdefender)](https://0x00sec.org/t/defeating-userland-hooks-ft-bitdefender/12496) ([Code](https://github.com/NtRaiseHardError/Antimalware-Research/tree/master/Generic/Userland%20Hooking/AntiHook))\n- [@palantir](https://medium.com/palantir): [Tampering with Windows Event Tracing: Background, Offense, and Defense](https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63)\n\n## Licence\n\nThis project is licensed under the Apache License 2.0.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjthuraisamy%2Ftelemetrysourcerer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjthuraisamy%2Ftelemetrysourcerer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjthuraisamy%2Ftelemetrysourcerer/lists"}