Unauthorized Users Exploit EDRSilencer Tool to Circumvent Security and Conceal Malicious Behavior
Threat actors are endeavoring to misuse the open-source EDRSilencer tool in their attempts to manipulate endpoint detection and response (EDR) solutions and cover up malicious behavior.
According to Trend Micro, it observed “threat actors trying to incorporate EDRSilencer in their assaults, repurposing it as a technique to elude detection.”
EDRSilencer, inspired by the NightHawk FireBlock tool from MDSec, is engineered to obstruct outbound traffic of operating EDR processes using the Windows Filtering Platform (WFP).
It facilitates the termination of diverse processes linked to EDR products from Microsoft, Elastic, Trellix, Qualys, SentinelOne, Cybereason, Broadcom Carbon Black, Tanium, Palo Alto Networks, Fortinet, Cisco, ESET, HarfangLab, and Trend Micro.
By incorporating such lawful red teaming tools into their inventory, the aim is to render EDR software ineffectual and significantly complicate the identification and elimination of malware.
“The WFP is a potent framework integrated within Windows for formulating network filtering and security applications,” articulated Trend Micro researchers stated. “It furnishes APIs for developers to specify custom regulations to monitor, block, or adjust network traffic based on diverse criteria such as IP addresses, ports, protocols, and applications.”
“WFP is harnessed in firewalls, antivirus software, and other security solutions to safeguard systems and networks.”
EDRSilencer leverages WFP by dynamically identifying running EDR processes and generating continual WFP filters to obstruct their outbound network communications on both IPv4 and IPv6, thereby preventing security software from dispatching telemetry to their management consoles.
The attack essentially commences by scanning the system to amass a list of functioning processes associated with prevalent EDR products, then executing EDRSilencer with the parameter “blockedr” (e.g., EDRSilencer.exe blockedr) to restrict outbound traffic from those processes through configuring WFP filters.
“This enables malware or other malicious activities to stay concealed, heightening the likelihood of prosperous attacks without detection or intervention,” underscored the researchers. “This underscores the ongoing tendency of threat actors to seek more potent tools for their assaults, particularly those devised to incapacitate antivirus and EDR solutions.”
This development coincides with ransomware groups employing potent EDR-disabling tools like AuKill (aka AvNeutralizer), EDRKillShifter, TrueSightKiller, GhostDriver, and Terminator witnessing an uptick, with these tools weaponizing vulnerable drivers to escalate privileges and terminate security-related processes.
“EDRKillShifter enhances persistence mechanisms by employing techniques that ensure its continuous presence within the system, even after initial compromises are discovered and cleaned,” Trend Micro mentioned in a recent analysis.
“It dynamically disrupts security processes in real-time and adapts its methods as detection capabilities evolve, staying a step ahead of traditional EDR tools.”
About Author
