Friday, May 2, 2025
Homecyber securityHackers Abuse EDRSilencer Red Team Tool To Evade Detection

Hackers Abuse EDRSilencer Red Team Tool To Evade Detection

Published on

SIEM as a Service

Follow Us on Google News

EDRSilencer, a red team tool, interferes with EDR solutions by blocking network communication for associated processes using the WFP, which makes it harder to identify and remove malware, as EDRs cannot send telemetry or alerts.

The code demonstrates a technique where malware can evade detection by blocking EDR traffic, making it harder to identify and remove, which is achieved by leveraging the WFP framework to define custom rules that monitor and modify network traffic, thereby hindering EDR’s ability to communicate with its cloud-based infrastructure. 

Attack chain of EDRSilencer

The EDR products utilize various executable files, including agent processes, service components, and scanning utilities, to monitor system activity, detect threats, and provide real-time protection against cyberattacks.

- Advertisement - Google News

How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)

The EDRSilencer tool creates WFP filters to block outbound network communications from running EDR processes, effectively preventing them from sending telemetry or alerts, while the EDRNoiseMaker tool was used to verify the effectiveness of EDRSilencer by identifying silenced processes based on WFP filters.

EDRSilencer configures a WFP filter to block specific application connections and sets up the corresponding provider

It offers commands to block or unblock network traffic for specific processes or all EDR processes using WFP filters that persist even after the system restarts, which allows users to block traffic from individual processes or remove all filters at once, providing granular control over network access.

The endpoint agent successfully sent outbound traffic despite the blockedr argument, as certain executable files not listed in the hardcoded blocklist were able to bypass the restriction.

 Although the processes have been blocked, the EDR is still able to send telemetry based on the endpoint logs

The second attempt involved identifying and blocking two unidentified Trend Micro processes using blockedr and block <path> commands, where the effectiveness of the tool was verified by the absence of logs on the portal when a ransomware binary was executed, suggesting successful prevention of log collection.

EDRSilencer scans the system for EDR processes and blocks their network traffic to evade detection and hinder EDR functionality, either by targeting all EDR processes or by specifying specific ones.

Blocking processes using the complete path of binary of EDR or antivirus

It exploits the Windows Filtering Platform (WFP) to block outbound network communications of EDR processes, making them ineffective in sending telemetry and alerts, which allows malicious activities to remain undetected, increasing the risk of successful attacks.

Threat actors are using EDRSilencer to evade endpoint detection and response systems, increasing the risk of successful ransomware attacks and highlighting the need for organizations to adopt advanced detection mechanisms and threat-hunting strategies to protect their digital assets.

Strategies to Protect Websites & APIs from Malware Attack => Free Webinar

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

The Double-Edged Sword of AI in Cybersecurity: Threats, Defenses & the Dark Web Insights Report 2025

Check Point Research's latest AI Security Report 2025 reveals a rapidly evolving cybersecurity landscape...

Hackers Exploit New Eye Pyramid Offensive Tool With Python to Launch Cyber Attacks

Security researchers from Intrinsec have published a comprehensive analysis revealing significant overlaps in...

Hackers Exploit Critical NodeJS Vulnerabilities to Hijack Jenkins Agents for RCE

Security researchers have identified critical vulnerabilities in the Node.js CI/CD infrastructure, exposing internal Jenkins...

New MCP-Based Attack Techniques and Their Application in Building Advanced Security Tools

MCP, developed by Anthropic, allows Large Language Models (LLMs) to interface seamlessly with external...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

The Double-Edged Sword of AI in Cybersecurity: Threats, Defenses & the Dark Web Insights Report 2025

Check Point Research's latest AI Security Report 2025 reveals a rapidly evolving cybersecurity landscape...

Hackers Exploit New Eye Pyramid Offensive Tool With Python to Launch Cyber Attacks

Security researchers from Intrinsec have published a comprehensive analysis revealing significant overlaps in...

Hackers Exploit Critical NodeJS Vulnerabilities to Hijack Jenkins Agents for RCE

Security researchers have identified critical vulnerabilities in the Node.js CI/CD infrastructure, exposing internal Jenkins...