Threat actors are trying to interfere with endpoint detection and response (EDR) solutions and conceal harmful activities by abusing the open-source EDRSilencer program.
Trend Micro claimed to have identified “threat actors attempting to integrate EDRSilencer in their attacks, repurposing it as a means of evading detection.”
EDRSilencer uses the Windows Filtering Platform (WFP) to block outgoing traffic from EDR processes that are currently operating. It was inspired by MDSec’s NightHawk FireBlock application.
For EDR products from Microsoft, Elastic, Trellix, Qualys, SentinelOne, Cybereason, Broadcom Carbon Black, Tanium, Palo Alto Networks, Fortinet, Cisco, ESET, HarfangLab, and Trend Micro, it allows stopping a variety of processes.
The intention is to make EDR software useless and make it far more difficult to detect and eliminate malware by adding such authentic red teaming tools to their toolkit.
“The WFP is a powerful framework built into Windows for creating network filtering and security applications,” Trend Micro researchers said. “It provides APIs for developers to define custom rules to monitor, block, or modify network traffic based on various criteria, such as IP addresses, ports, protocols, and applications.”
“WFP is used in firewalls, antivirus software, and other security solutions to protect systems and networks.”
In order to prevent security software from providing telemetry to their management consoles, EDRSilencer exploits WFP by dynamically recognising active EDR processes and establishing persistent WFP filters to block their outgoing network interactions on both IPv4 and IPv6.
In order to prevent outbound traffic from such processes by configuring WFP filters, the attack basically involves scanning the system to obtain a list of active processes linked to popular EDR products. Then, EDRSilencer is invoked with the option “blockedr” (e.g., EDRSilencer.exe blockedr).
“This allows malware or other malicious activities to remain undetected, increasing the potential for successful attacks without detection or intervention,” the researchers said. “This highlights the ongoing trend of threat actors seeking more effective tools for their attacks, especially those designed to disable antivirus and EDR solutions.”
The change coincides with an increase in ransomware groups’ use of powerful EDR-killing tools, such as AuKill (also known as AvNeutralizer), EDRKillShifter, TrueSightKiller, GhostDriver, and Terminator, which use weak drivers as weapons to escalate privileges and stop security-related processes.
“EDRKillShifter enhances persistence mechanisms by employing techniques that ensure its continuous presence within the system, even after initial compromises are discovered and cleaned,” Trend Micro said in a recent analysis.
“It dynamically disrupts security processes in real-time and adapts its methods as detection capabilities evolve, staying a step ahead of traditional EDR tools.”
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.