new: EDRChoker QoS ThrottleRate Set by WMI

[0xtamseel]

Summary of the Pull Request

This pull request adds a new experimental rule to detect indications of EDR telemetry suppression via Policy-based Quality of Service (QoS) throttling.

Recently popularized by the EDRChoker tool, this technique leverages WMI to create persistent QoS policies that restrict an EDR agent's outbound bandwidth (e.g., down to 8 bits per second). This causes TLS handshake timeouts and silently severs the agent's connectivity to its management server without triggering standard Windows Filtering Platform (WFP) or firewall tampering alerts. The rule detects this by monitoring registry events for the creation of ThrottleRate under \QoS\ by the WMI provider service (wmiprvse.exe).

Changelog

new: QoS ThrottleRate Set by WMI

Example Log Event

Event ID 13 - Registry Value Set

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" /> 
  <EventID>13</EventID> 
  <Version>2</Version> 
  <Level>4</Level> 
  <Task>13</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8000000000000000</Keywords> 
  <TimeCreated SystemTime="2026-06-12T14:25:40.6889594Z" /> 
  <EventRecordID>49539</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="12260" ThreadID="10012" /> 
  <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
  <Computer>WinDev2407Eval</Computer> 
  <Security UserID="S-1-5-18" /> 
  </System>
- <EventData>
  <Data Name="RuleName">-</Data> 
  <Data Name="EventType">SetValue</Data> 
  <Data Name="UtcTime">2026-06-12 14:25:40.673</Data> 
  <Data Name="ProcessGuid">{be054b2f-1689-6a2c-0b03-000000001900}</Data> 
  <Data Name="ProcessId">14080</Data> 
  <Data Name="Image">C:\Windows\system32\wbem\wmiprvse.exe</Data> 
  <Data Name="TargetObject">HKU\S-1-5-21-452328625-1400724939-4162253496-1001\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{9C8AEBA4-E6B4-4F5A-9D99-E5CEE29F4731}Machine\Software\Policies\Microsoft\Windows\QoS\r3t4mv2d\ThrottleRate</Data> 
  <Data Name="Details">QWORD (0x00000000-0x00000001)</Data> 
  <Data Name="User">NT AUTHORITY\LOCAL SERVICE</Data> 
  </EventData>
  </Event>

Event ID 1 - Process Creation

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
 <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" /> 
 <EventID>1</EventID> 
 <Version>5</Version> 
 <Level>4</Level> 
 <Task>1</Task> 
 <Opcode>0</Opcode> 
 <Keywords>0x8000000000000000</Keywords> 
 <TimeCreated SystemTime="2026-06-12T14:25:40.5223177Z" /> 
 <EventRecordID>49538</EventRecordID> 
 <Correlation /> 
 <Execution ProcessID="12260" ThreadID="10012" /> 
 <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
 <Computer>WinDev2407Eval</Computer> 
 <Security UserID="S-1-5-18" /> 
 </System>
- <EventData>
 <Data Name="RuleName">-</Data> 
 <Data Name="UtcTime">2026-06-12 14:25:40.521</Data> 
 <Data Name="ProcessGuid">{be054b2f-16e4-6a2c-1d03-000000001900}</Data> 
 <Data Name="ProcessId">11420</Data> 
 <Data Name="Image">C:\Users\Tamseel\source\repos\EDRChoker\bin\Debug\EDRChoker.exe</Data> 
 <Data Name="FileVersion">1.0.0.0</Data> 
 <Data Name="Description">EDRChoker</Data> 
 <Data Name="Product">EDRChoker</Data> 
 <Data Name="Company">-</Data> 
 <Data Name="OriginalFileName">EDRChoker.exe</Data> 
 <Data Name="CommandLine">EDRChoker.exe list.txt</Data> 
 <Data Name="CurrentDirectory">C:\Users\Tamseel\source\repos\EDRChoker\bin\Debug\</Data> 
 <Data Name="User">WINDEV2407EVAL\Tamseel</Data> 
 <Data Name="LogonGuid">{be054b2f-eacc-6a2b-f760-030000000000}</Data> 
 <Data Name="LogonId">0x360f7</Data> 
 <Data Name="TerminalSessionId">1</Data> 
 <Data Name="IntegrityLevel">High</Data> 
 <Data Name="Hashes">SHA1=3893CDCDC230AA0BFF2929294D27854457902DDF,MD5=88FC749B9164E77572F42209E9898AA1,SHA256=299887899B4587F4DDF8B900813FED4953B95BD7C5BBFD0A4AFE97A09AE02470,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</Data> 
 <Data Name="ParentProcessGuid">{be054b2f-f4c4-6a2b-d202-000000001900}</Data> 
 <Data Name="ParentProcessId">3796</Data> 
 <Data Name="ParentImage">C:\Windows\System32\cmd.exe</Data> 
 <Data Name="ParentCommandLine">"C:\Windows\system32\cmd.exe"</Data> 
 <Data Name="ParentUser">WINDEV2407EVAL\Tamseel</Data> 
 </EventData>
 </Event>

Fixed Issues

None

[github-actions]

Welcome @0xtamseel 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

If you want to engage more with the community for official support, general discussions or announcements:

👉 Join our Discord server