EDRSandBlast
EDRSandBlast is an open-source Windows EDR-killing / defense-evasion tool designed to disable or bypass endpoint security products at the kernel level. The provided content consistently describes it as using Bring Your Own Vulnerable Driver (BYOVD) techniques to tamper with Windows kernel structures, remove or disable kernel notification routines such as process-creation and image-load callbacks, and in some cases remove Protected Process Light protections. Multiple reports state that it resolves Windows kernel version/structure offsets and can use ntoskrnl.exe version information, embedded CSV offset data, or downloaded PDB symbols to support kernel manipulation across Windows versions.
The tool is repeatedly referenced as being customized by threat actors rather than only used in its public form. Kaspersky reporting states ToddyCat derived a 64-bit DLL tool named TCESB from EDRSandBlast, extending its functionality. In that activity, TCESB used DLL proxying via a malicious version.dll loaded by ESET Command-line Scanner (ecls) through insecure DLL search order behavior later assigned CVE-2024-11859. TCESB then used Dell DBUtilDrv2.sys, a vulnerable signed driver associated with CVE-2021-36276, to modify kernel structures and disable monitoring callbacks. That ToddyCat-derived variant also decrypted extensionless payload files with AES-128 and executed them from memory.
A separate intrusion tied to Qilin ransomware involved a customized EDRSandBlast variant delivered through DLL sideloading: a legitimate Carbon Black Cloud Sensor updater (upd.exe) loaded a malicious avupdate.dll, which decoded an XOR-encoded payload (web.dat) into the EDRSandBlast variant. In that case, the customized tool used the signed Toshiba TPwSav.sys driver instead of more commonly associated vulnerable drivers, abused its physical memory read/write capability, hijacked Beep.sys for arbitrary kernel memory access, and removed kernel callbacks and kernel event tracing to blind EDR products. Blackpoint assessed this activity occurred prior to attempted ransomware deployment.
The content also links EDRSandBlast to Russian SVR/APT29 exploitation of JetBrains TeamCity CVE-2023-42793, where operators reportedly exfiltrated ntoskrnl.exe to identify the system version before deploying EDRSandBlast via BYOVD to disable or kill EDR/AV and remove PPL protections. More broadly, Sophos reporting says EDRSandBlast was one of the most frequently observed EDR-killer tools in 2024, seen across MDR and incident response cases and in waves of attempted ransomware attacks, with a notable peak around the US Thanksgiving period.
High-confidence aliases and detections in the content include EDRSandBlast / EDRSandblast and Kaspersky detection HEUR:HackTool.Win64.EDRSandblast.a. The malware/tool is associated in the provided reporting with ToddyCat, Qilin ransomware intrusions, and SVR/APT29 post-exploitation activity. Targeting in the cited cases spans Windows enterprise environments, especially where attackers seek to neutralize endpoint defenses before credential theft, persistence, lateral movement, or ransomware execution.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
ESET registered the CVE-2024-11859 vulnerability, then on January 21, 2025 released an update for the ecls file patching the security issue.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The search shows that most of them belong to the open-source malicious tool EDRSandBlast, designed to bypass security solutions. Kaspersky solutions detect it with the verdict HEUR : HackTool . Win64 . EDRSandblast . a . ToddyCat created the TCESB DLL on its basis, modifying the original code to extend the malware’s functionality.
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
Persistence
1 technique
Persistence
When these firewall rules are created, they’re actually stored in the registry under: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{GUID}... When filters are set, they’re stored in the registry just like firewall rules, just in a different location.
Privilege Escalation
1 technique
Privilege Escalation
Stealth
3 techniques
Stealth
“T1014: Rootkit” and tools/drivers listed (e.g., YDArk; vulnerable drivers used for BYOVD).
Defense Impairment
2 techniques
Defense Impairment
When these firewall rules are created, they’re actually stored in the registry under: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{GUID}... When filters are set, they’re stored in the registry just like firewall rules, just in a different location.
Credential Access
1 technique
Credential Access
Other
3 techniques
Other
one of the most common ways to “blind” EDRs is to apply firewall rules against the desired EDR applications... although the EDR can collect telemetry of an action, those actions aren’t being sent up for detections or investigations.
taskkill、net stop、sc deleteなどの組み込みの管理ツールやコマンドを悪用して、セキュリティ製品のプロセスやサービスを改ざんします。
The Windows Firewall has the ability to create custom rules that either allow or disallow an application to speak out through the network... as long as an attacker has local administrator rights they can successfully add an EDR agent into the firewall rule and block network connections.
IOCs tracked for this family
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
EDRSandBlast is a malware tool designed to disable endpoint detection and response (EDR) software, facilitating ransomware deployment by attackers.
EDRSandblast is an EDR-disabling tool used to tamper with kernel structures and neutralize endpoint protections. In this case it was customized to use the TPwSav.sys vulnerable driver, hijack Beep.sys, and perform arbitrary kernel memory read/write to remove callbacks and event tracing.
An open-source tool designed to bypass security solutions by modifying kernel structures and disabling notification routines; its codebase was used as the basis for TCESB.
Tool that weaponizes a vulnerable signed driver (BYOVD) to bypass/disable EDR protections; used by Qilin operators via DLL sideloading.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.