Weakness in EDR Tools

I'm trying to look into this a bit. A few initial impressions:

• It looks like malicious code would first have to run on your machine to exploit this; Intercept X has a lot of protections against that happening.
• Intercept X, particularly the anti-exploit technology that came from the HitmanPro.Alert product, has some protections in place to protect against its own service being bypassed in this way; not sure whether/how it could apply to EDR.
• I think some parts of our EDR make use of Windows Event Tracing, which Optiv specifically calls out as not being subject to this attack vector.

If I learn anything more, I'll update here. Meanwhile, I wouldn't lose sleep over this. It's difficult to take advantage of, it wouldn't circumvent our core protections, and we're always looking to further harden our products against potential attack vectors.

As it turns out, we don't use user-mode application hooking for EDR.

I'm not sure why it's EDR focused - seems more general than EDR.

It is, but it's especially concerning for EDR, because EDR is supposed to provide a reliable log of what happened on an endpoint. If it can be tampered with, the log is no longer reliable, which means you could have gaps in detection or inaccurate information for an investigation.