I became aware of this technique like 9 months ago, and now I see this on a attack in the wild conducted by Qilin Ransomware Gang, so it’s time to make it public. One of the most important security things in EDR’s is the possibility to intercept calls to the kernel. For this purpose, EDR’s vendors use MiniFilter Drivers that load on boot. But what happens when these drivers are forced disabled by attacker? The attacker can peacefully make kernel calls without being intercepted by EDR’s. When the Windows load a MiniFilter Driver , there is a order to load them ,