Colin Cowie and Andreas Klopsch from Sophos discuss the strategies threat actors use to bypass increasingly sophisticated EDR/AV products. They explore advanced techniques based on real-world malware attacks, focusing on the two main techniques used to disable EDRs: legitimate driver abuse and the use of leaked certificates to sign rootkits. They share insights from two case studies involving ransomware deployments and discuss the development processes performed by threat actors. They also provide a broader view of the marketplace for EDR killers on criminal forums and examine the types of threat actors interested in EDR killers. The talk concludes with the sharing of a command-line tool developed to dump packed kernel-mode drivers from kernel memory, along with tips on how to avoid EDR killer attacks.