Christopher Vella

Security Consultant, Context Information Security

Christopher Vella

Talk Title

EDR Internals and Bypasses


Endpoint Detection and Response (EDR) product vendors will give you the spiel on what they do and their capabilities, but how do they actually work at the lowest level? And how can we discover weaknesses in these products to develop bypasses or evaluate them?

Join me as we reverse engineer an EDR product and the Windows kernel to unveil its inner-workings, alongside the Windows kernel structures and functions EDR products rely on to operate, and by doing so discover weaknesses and gaps in their protections that allow actors to bypass the product’s defenses, rendering them null&void. Finally, by abusing an identified weakness I’ll use a custom-build mimikatz to dump all the hashes on a machine protected by EDR.


Christopher Vella is a consultant at Context Information Security, where he writes offensive tools for Windows and hunts for vulnerabilities in corporate environments and ICS/SCADA systems. Christopher's previous research includes deobfuscating protected drivers/applications, reversing and recreating Equation Group's kernel rootkits and implementing homomorphic encryption for biometric authentication.

Copyright © 2023 | Nullcon India | International Security Conference | All Rights Reserved