Kill EDR Protected Processes Have these local admin credentials but the EDR is standing in the way? Unhooking or direct syscalls are not working against the EDR? Well, why not just kill it? Backstab is a tool capable of killing antimalware protected processes by leveraging sysinternals’ Process Explorer (ProcExp) driver, which is signed by Microsoft. What can it do? Usage: backstab.exe <-n name || -p PID> [options] -n, Choose process by name, including the .exe suffix -p, Choose process by PID -l, List handles of protected process -k, Kill the protected process by closing its handles -x, Close a specific handle -d, Specify path to where ProcExp will be extracted -s, Specify service name registry key -u, Unload ProcExp driver -a, adds SeDebugPrivilege -h, Print this menu Examples: backstab.exe -n cyserver.exe -k [kill cyserver] backstab.exe -n cyserver.exe -x E4C [Close handle E4C of cyserver] backstab.exe -n cyserver.exe -l [list all....