Hackers Abuse EDRSilencer Red Team Tool To Evade Detection

EDRSilencer, a red team tool, interferes with EDR solutions by blocking network communication for associated processes using the WFP, which makes it harder to identify and remove malware, as EDRs cannot send telemetry or alerts.

The code demonstrates a technique where malware can evade detection by blocking EDR traffic, making it harder to identify and remove, which is achieved by leveraging the WFP framework to define custom rules that monitor and modify network traffic, thereby hindering EDR’s ability to communicate with its cloud-based infrastructure. 

The EDR products utilize various executable files, including agent processes, service components, and scanning utilities, to monitor system activity, detect threats, and provide real-time protection against cyberattacks.

How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)

The EDRSilencer tool creates WFP filters to block outbound network communications from running EDR processes, effectively preventing them from sending telemetry or alerts, while the EDRNoiseMaker tool was used to verify the effectiveness of EDRSilencer by identifying silenced processes based on WFP filters.

It offers commands to block or unblock network traffic for specific processes or all EDR processes using WFP filters that persist even after the system restarts, which allows users to block traffic from individual processes or remove all filters at once, providing granular control over network access.

The endpoint agent successfully sent outbound traffic despite the blockedr argument, as certain executable files not listed in the hardcoded blocklist were able to bypass the restriction.

The second attempt involved identifying and blocking two unidentified Trend Micro processes using blockedr and block <path> commands, where the effectiveness of the tool was verified by the absence of logs on the portal when a ransomware binary was executed, suggesting successful prevention of log collection.

EDRSilencer scans the system for EDR processes and blocks their network traffic to evade detection and hinder EDR functionality, either by targeting all EDR processes or by specifying specific ones.

It exploits the Windows Filtering Platform (WFP) to block outbound network communications of EDR processes, making them ineffective in sending telemetry and alerts, which allows malicious activities to remain undetected, increasing the risk of successful attacks.

Threat actors are using EDRSilencer to evade endpoint detection and response systems, increasing the risk of successful ransomware attacks and highlighting the need for organizations to adopt advanced detection mechanisms and threat-hunting strategies to protect their digital assets.

Strategies to Protect Websites & APIs from Malware Attack => Free Webinar