More and more companies realize, trying to prevent malicious activities alone is not enough, therefore more and more companies are using EDR products in their environment. From red team perspective this gets more and more a challenge, because even if the red team has achieved a local privilege escalation, most well known EDR products are still be very annoying. In the last few months we saw a lot about bypassing EDRs, but what about possible ways to disable the main functionalities from an EDR by targeted, controlled tampering from specific key components from them? What EDR components can be a key element in Windows user space and kernel space to disable the EDR main functionalities, but without relying on an uninstall password, uninstalling the product or using the Windows security center. And how can we as red teamer not just get rid of prevention by the antivirus module from an EPP/EDR, instead we also want to get rid of detections (active alerts in the web console) by the EDR module, get rid of the telemetry footprint based on the EDR sensor, host isolation, real time response remote shells and EDR sensor recovery feature.