Threat actors are trying to exploit the open-source EDRSilencer tool in an attempt to manipulate endpoint detection and response (EDR) solutions and conceal malicious behavior.
Trend Micro has identified \”threat actors trying to incorporate EDRSilencer into their attacks, repurposing it to evade detection.\”
EDRSilencer, inspired by the NightHawk FireBlock tool from MDSec, is designed to block outbound traffic of running EDR processes using the Windows Filtering Platform (WFP).
It is capable of terminating various processes associated with EDR products from Microsoft, Elastic, Trellix, Qualys, SentinelOne, Cybereason, Broadcom Carbon Black, Tanium, Palo Alto Networks, Fortinet, Cisco, ESET, HarfangLab, and Trend Micro.
By incorporating such legitimate red teaming tools into their arsenal, the aim is to render EDR software ineffective and make it more challenging to detect and remove malware.
\”The WFP is a powerful framework built into Windows for creating network filtering and security applications,\” according to Trend Micro researchers said. \”It provides APIs for developers to define custom rules to monitor, block, or modify network traffic based on various criteria, such as IP addresses, ports, protocols, and applications.\”
\”WFP is used in firewalls, antivirus software, and other security solutions to protect systems and networks.\”
EDRSilencer leverages WFP by dynamically identifying running EDR processes and setting up persistent WFP filters to block their outbound network communications on both IPv4 and IPv6, preventing security software from sending telemetry to their management consoles.
The attack involves scanning the system to compile a list of running processes linked to common EDR products, then running EDRSilencer with the argument \”blockedr\” (e.g., EDRSilencer.exe blockedr) to inhibit outbound traffic from those processes by configuring WFP filters.
\”This allows malware or other malicious activities to remain undetected, increasing the potential for successful attacks without detection or intervention,\” the researchers noted. \”This highlights the ongoing trend of threat actors seeking more effective tools for their attacks, especially those designed to disable antivirus and EDR solutions.\”
As ransomware groups increasingly utilize potent EDR-killing tools like AuKill (aka AvNeutralizer), EDRKillShifter, TrueSightKiller, GhostDriver, and Terminator, the landscape is evolving, with these tools leveraging vulnerable drivers to escalate privileges and terminate security-related processes.
\”EDRKillShifter enhances persistence mechanisms by employing techniques that ensure its continuous presence within the system, even after initial compromises are discovered and cleaned,\” according to a recent analysis by Trend Micro said.
\”It dynamically disrupts security processes in real-time and adapts its methods as detection capabilities evolve, staying a step ahead of traditional EDR tools.\”