EDRSilencer, a red team tool originally intended to thwart endpoint detection and response solutions, has been repurposed by threat actors as a means of evading detection.
By dynamically identifying and blocking outbound communication from running EDR processes through the Windows Filtering Platform, EDRSilencer disrupts telemetry and alert transmission to management consoles, hindering malware identification and removal.
The tool’s effectiveness is further underscored by its ability to block communication for processes beyond its hardcoded list, making it a potent tool for evading detection.
It exploits the Windows Filtering Platform (WFP) to interfere with endpoint detection and response (EDR) solutions. By blocking network communication for EDR-related processes, it prevents telemetry and alerts from reaching management consoles, hindering malware detection and removal.
This technique, inspired by FireBlock, showcases a potential method for adversaries to evade detection. Understanding how EDRSilencer functions is essential for defenders to develop countermeasures against such threats.
The EDRSilencer tool utilizes the Windows Filtering Platform (WFP) to block outbound network communications of common EDR products. By dynamically identifying running EDR processes, it creates WFP filters to prevent these processes from sending telemetry or alerts to their management consoles.
To verify the effectiveness of EDRSilencer, the EDRNoiseMaker tool was used, which examines the list of executables silenced by WFP and can detect if EDR processes have been blocked.
It effectively blocked outbound traffic from EDR agents by leveraging persistent WFP filters. However, the tool’s hardcoded list of EDR processes proved incomplete, requiring manual identification and blocking of specific processes using the block <path> argument.
By targeting Trend Micro processes, the tool successfully prevented the EDR from sending telemetry, rendering the endpoint seemingly disconnected, which demonstrates the tool’s effectiveness in disrupting EDR communication, potentially hindering threat detection and response capabilities.
EDRSilencer is a tool designed to circumvent EDR protections, which initially scans the system to identify running EDR processes.
Once detected, it blocks outbound network traffic from these processes using WFP filters, effectively rendering the EDR tools inoperable, which allows attackers to execute malicious activities without being detected by the EDR system.
While the tool was effective in blocking most EDR processes, it was found that some processes not included in its hardcoded list could still communicate. To address this, additional processes were identified and blocked, completely disabling the EDR system’s ability to send logs or alerts.
Threat actors are increasingly using EDRSilencer to disable antivirus and EDR solutions, making their attacks more stealthy and effective, which is a significant development in the threat landscape, as it enables attackers to evade detection and potentially launch successful ransomware attacks.
Organizations must adopt a proactive security posture, combining multi-layered defenses and continuous monitoring to mitigate these risks. By staying vigilant and employing advanced detection mechanisms, organizations can effectively counter sophisticated tools like EDRSilencer and protect their digital assets.
