Telemetry Sourcerer enumerates and disables common telemetry sources used by antivirus and EDR products on Windows to aid red teamers and security researchers.
Enumerate and disable common sources of telemetry used by AV/EDR.
This tool is primarily used by red teamers and security enthusiasts in lab environments to identify telemetry collection blind spots in endpoint security products, understand which telemetry sources generate specific events, and test if tampering with telemetry can trigger detection. It helps in researching and validating endpoint telemetry behaviors for offensive security testing and evasion techniques.
This tool is intended for research and lab use only and is not OPSEC-safe for production or targeted environments without modification. Running with elevated privileges and disabling security features like DSE or enabling test signing mode can expose the system to risks. The driver is unsigned by default and may require signing or test modes to load. The tool currently supports Windows 7 and 10 (x64) and does not detect IAT/EAT hooks or kernel-mode hooks beyond callbacks. Users should combine this tool with other evasion techniques to minimize detection footprint.
Download the latest release from the GitHub releases page
Extract the downloaded files
Run the executable with elevated privileges for full functionality
For kernel-mode callbacks, enable test signing mode or disable driver signature enforcement (DSE) or sign the driver
To enable test signing mode: disable BitLocker and Secure Boot, run 'bcdedit.exe -set TESTSIGNING ON' in an elevated command prompt, then reboot
To disable DSE using KDU: clone https://github.com/hfiref0x/KDU.git, run 'kdu -dse 0' in elevated command prompt before launching the tool, and 'kdu -dse 6' to re-enable
To sign the driver: use SignTool with a valid cross-certificate and certificate file to sign TelemetrySourcererDriver.sysLaunch Telemetry Sourcerer executable
Starts the tool; run elevated to access kernel-mode callbacks and more ETW sessions
bcdedit.exe -set TESTSIGNING ON
Enables Windows test signing mode to allow loading unsigned drivers
kdu -dse 0
Disables Driver Signature Enforcement temporarily to allow loading unsigned drivers
kdu -dse 6
Re-enables Driver Signature Enforcement after testing
signtool sign /a /ac "cross-cert.cer" /f "cert.pfx" /p "password" TelemetrySourcererDriver.sys
Signs the Telemetry Sourcerer driver with a valid certificate to allow loading on Windows