Friday, November 1, 2024
Homecyber securityHackers Abuse EDRSilencer Red Team Tool To Evade Detection

Hackers Abuse EDRSilencer Red Team Tool To Evade Detection

Published on

Malware protection

EDRSilencer, a red team tool, interferes with EDR solutions by blocking network communication for associated processes using the WFP, which makes it harder to identify and remove malware, as EDRs cannot send telemetry or alerts.

The code demonstrates a technique where malware can evade detection by blocking EDR traffic, making it harder to identify and remove, which is achieved by leveraging the WFP framework to define custom rules that monitor and modify network traffic, thereby hindering EDR’s ability to communicate with its cloud-based infrastructure. 

Attack chain of EDRSilencer

The EDR products utilize various executable files, including agent processes, service components, and scanning utilities, to monitor system activity, detect threats, and provide real-time protection against cyberattacks.

- Advertisement - SIEM as a Service

How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)

The EDRSilencer tool creates WFP filters to block outbound network communications from running EDR processes, effectively preventing them from sending telemetry or alerts, while the EDRNoiseMaker tool was used to verify the effectiveness of EDRSilencer by identifying silenced processes based on WFP filters.

EDRSilencer configures a WFP filter to block specific application connections and sets up the corresponding provider

It offers commands to block or unblock network traffic for specific processes or all EDR processes using WFP filters that persist even after the system restarts, which allows users to block traffic from individual processes or remove all filters at once, providing granular control over network access.

The endpoint agent successfully sent outbound traffic despite the blockedr argument, as certain executable files not listed in the hardcoded blocklist were able to bypass the restriction.

 Although the processes have been blocked, the EDR is still able to send telemetry based on the endpoint logs

The second attempt involved identifying and blocking two unidentified Trend Micro processes using blockedr and block <path> commands, where the effectiveness of the tool was verified by the absence of logs on the portal when a ransomware binary was executed, suggesting successful prevention of log collection.

EDRSilencer scans the system for EDR processes and blocks their network traffic to evade detection and hinder EDR functionality, either by targeting all EDR processes or by specifying specific ones.

Blocking processes using the complete path of binary of EDR or antivirus

It exploits the Windows Filtering Platform (WFP) to block outbound network communications of EDR processes, making them ineffective in sending telemetry and alerts, which allows malicious activities to remain undetected, increasing the risk of successful attacks.

Threat actors are using EDRSilencer to evade endpoint detection and response systems, increasing the risk of successful ransomware attacks and highlighting the need for organizations to adopt advanced detection mechanisms and threat-hunting strategies to protect their digital assets.

Strategies to Protect Websites & APIs from Malware Attack => Free Webinar

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...