Cyber Security News

Hackers Abuse EDRSilencer Red Team Tool To Evade Detection

EDRSilencer, a red team tool, interferes with EDR solutions by blocking network communication for associated processes using the WFP, which makes it harder to identify and remove malware, as EDRs cannot send telemetry or alerts.

The code demonstrates a technique where malware can evade detection by blocking EDR traffic, making it harder to identify and remove, which is achieved by leveraging the WFP framework to define custom rules that monitor and modify network traffic, thereby hindering EDR’s ability to communicate with its cloud-based infrastructure. 

Attack chain of EDRSilencer

The EDR products utilize various executable files, including agent processes, service components, and scanning utilities, to monitor system activity, detect threats, and provide real-time protection against cyberattacks.

How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)

The EDRSilencer tool creates WFP filters to block outbound network communications from running EDR processes, effectively preventing them from sending telemetry or alerts, while the EDRNoiseMaker tool was used to verify the effectiveness of EDRSilencer by identifying silenced processes based on WFP filters.

EDRSilencer configures a WFP filter to block specific application connections and sets up the corresponding provider

It offers commands to block or unblock network traffic for specific processes or all EDR processes using WFP filters that persist even after the system restarts, which allows users to block traffic from individual processes or remove all filters at once, providing granular control over network access.

The endpoint agent successfully sent outbound traffic despite the blockedr argument, as certain executable files not listed in the hardcoded blocklist were able to bypass the restriction.

Although the processes have been blocked, the EDR is still able to send telemetry based on the endpoint logs

The second attempt involved identifying and blocking two unidentified Trend Micro processes using blockedr and block <path> commands, where the effectiveness of the tool was verified by the absence of logs on the portal when a ransomware binary was executed, suggesting successful prevention of log collection.

EDRSilencer scans the system for EDR processes and blocks their network traffic to evade detection and hinder EDR functionality, either by targeting all EDR processes or by specifying specific ones.

Blocking processes using the complete path of binary of EDR or antivirus

It exploits the Windows Filtering Platform (WFP) to block outbound network communications of EDR processes, making them ineffective in sending telemetry and alerts, which allows malicious activities to remain undetected, increasing the risk of successful attacks.

Threat actors are using EDRSilencer to evade endpoint detection and response systems, increasing the risk of successful ransomware attacks and highlighting the need for organizations to adopt advanced detection mechanisms and threat-hunting strategies to protect their digital assets.

Strategies to Protect Websites & APIs from Malware Attack => Free Webinar

Aman Mishra

Recent Posts

Google Announces Vanir, A Open-Source Security Patch Validation Tool

Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and automate…

13 hours ago

New Transaction-Relay Jamming Vulnerability Let Attackers Exploits Bitcoin Nodes

A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin nodes,…

14 hours ago

Raspberry Pi 500 & Monitor, Complete Desktop Setup at $190

Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its game…

15 hours ago

Qlik Sense for Windows Vulnerability Allows Remote Code Execution

Qlik has identified critical vulnerabilities in its Qlik Sense Enterprise for Windows software that could…

16 hours ago

QNAP High Severity Vulnerabilities Let Remote attackers to Compromise System

QNAP Systems, Inc. has identified multiple high-severity vulnerabilities in its operating systems, potentially allowing attackers…

18 hours ago

Healthcare Security Strategies for 2025

Imagine this: It's a typical Tuesday morning in a bustling hospital. Doctors make their rounds,…

19 hours ago