Assumptions
- Tester has achieved elevated access to the system such that they can rename the EDR service’s executable and that they can restart the EDR service.
- Tester has enumerated the EDR service and its supporting executables.
Procedure
- Enter the directory where the service’s excutable is installed.
cd <target_directory>- Rename the executable.
move <old>.exe <new>.exe- Restart the service. There are various methods to achieve this:
Restarting the Service
sc.exe
sc.exe stop <service>
sc.exe start <service>Restart the Host
Safely restarting the host forces the service to be restarted.