Cyber Security News

Hackers Abuse EDRSilencer Red Team Tool To Evade Detection

EDRSilencer, a red team tool, interferes with EDR solutions by blocking network communication for associated processes using the WFP, which makes it harder to identify and remove malware, as EDRs cannot send telemetry or alerts.

The code demonstrates a technique where malware can evade detection by blocking EDR traffic, making it harder to identify and remove, which is achieved by leveraging the WFP framework to define custom rules that monitor and modify network traffic, thereby hindering EDR’s ability to communicate with its cloud-based infrastructure. 

Attack chain of EDRSilencer

The EDR products utilize various executable files, including agent processes, service components, and scanning utilities, to monitor system activity, detect threats, and provide real-time protection against cyberattacks.

How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)

The EDRSilencer tool creates WFP filters to block outbound network communications from running EDR processes, effectively preventing them from sending telemetry or alerts, while the EDRNoiseMaker tool was used to verify the effectiveness of EDRSilencer by identifying silenced processes based on WFP filters.

EDRSilencer configures a WFP filter to block specific application connections and sets up the corresponding provider

It offers commands to block or unblock network traffic for specific processes or all EDR processes using WFP filters that persist even after the system restarts, which allows users to block traffic from individual processes or remove all filters at once, providing granular control over network access.

The endpoint agent successfully sent outbound traffic despite the blockedr argument, as certain executable files not listed in the hardcoded blocklist were able to bypass the restriction.

Although the processes have been blocked, the EDR is still able to send telemetry based on the endpoint logs

The second attempt involved identifying and blocking two unidentified Trend Micro processes using blockedr and block <path> commands, where the effectiveness of the tool was verified by the absence of logs on the portal when a ransomware binary was executed, suggesting successful prevention of log collection.

EDRSilencer scans the system for EDR processes and blocks their network traffic to evade detection and hinder EDR functionality, either by targeting all EDR processes or by specifying specific ones.

Blocking processes using the complete path of binary of EDR or antivirus

It exploits the Windows Filtering Platform (WFP) to block outbound network communications of EDR processes, making them ineffective in sending telemetry and alerts, which allows malicious activities to remain undetected, increasing the risk of successful attacks.

Threat actors are using EDRSilencer to evade endpoint detection and response systems, increasing the risk of successful ransomware attacks and highlighting the need for organizations to adopt advanced detection mechanisms and threat-hunting strategies to protect their digital assets.

Strategies to Protect Websites & APIs from Malware Attack => Free Webinar

Aman Mishra

Recent Posts

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

1 day ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

2 days ago

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…

2 days ago

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…

2 days ago

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…

2 days ago

New Python NodeStealer Attacking Facebook Business To Steal Login Credentials

NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…

2 days ago