Threat actors are attempting to abuse the open source EDRSilencer tool in an effort to spoof Endpoint Detection and Response (EDR) solutions and conceal malicious activity.
Trend Micro said it discovered that “threat actors are attempting to integrate EDRSilencer into their attacks by repurposing it as a means of evading detection.”
EDRS silencerinspired NightHawk FireBlock the tool from MDSec is designed to block the outbound traffic of running EDR processes using the Windows Filtering Framework (MPP).
It supports termination of various processes related to EDR products from Microsoft, Elastic, Trellix, Qualys, SentinelOne, Cybereason, Broadcom Carbon Black, Tanium, Palo Alto Networks, Fortinet, Cisco, ESET, HarfangLab and Trend Micro.
By including such legitimate red teaming tools in their arsenal, the goal is to render EDR software ineffective and make it much more difficult to identify and remove malware.
“WFP is a powerful framework built into Windows for building network filters and security applications,” Trend Micro researchers said. “It provides developers with an API to define custom rules to monitor, block or modify network traffic based on various criteria such as IP addresses, ports, protocols and applications.”
“WFP is used in firewalls, antivirus software, and other security solutions to protect systems and networks.”
EDRSilencer takes advantage of WFP by dynamically identifying running EDR processes and creating persistent WFP filters to block their outgoing network connections on both IPv4 and IPv6, thereby preventing security software from sending telemetry to their management consoles.
The attack essentially works by scanning the system to collect a list of running processes related to common EDR products, then running EDRSilencer with the “blockedr” argument (eg EDRSilencer.exe blockedr) to block outbound traffic from those processes by configuring WFP filters .
“This allows malware or other malicious activity to remain undetected, increasing the potential for successful attacks without detection or intervention,” the researchers said. “This underscores the current trend of threat actors looking for more effective tools for their attacks, especially those designed to disable antivirus and EDR solutions.”
The development came as a result of ransomware groups using formidable EDR destruction tools such as AuKill (aka AvNeutralizer), EDRKillShifter, TrueSightKiller, GhostDriver and Terminator is growing, and these programs use vulnerable drivers to elevate privileges and terminate security-related processes.
“EDRKillShifter improves resilience mechanisms by using techniques that ensure its continuous presence on the system, even after the initial intrusions have been detected and remedied.”—Trend Micro said in a recent analysis.
“It dynamically disrupts security processes in real-time and adapts its methods as detection capabilities evolve, staying one step ahead of traditional EDR tools.”
