EDR agents communicate with cloud servers for telemetry and threat analysis, and disrupting this connection could hinder EDR’s effectiveness.
Specifically, EDR vendors can implement tamper protection and leverage group policy to prevent firewall rule manipulation, while the vast number of EDR contact servers makes blocking all communication channels impractical.
EDRSilencer leverages the Windows Filtering Platform (WFP) to impede EDR communication, has built-in WFP functionalities and requires administrator privileges.
It first identifies EDR processes by hardcoded names, then opens a session to the filter engine and retrieves the full path of the EDR process.
WFP filters and conditions are subsequently configured to block outgoing connections for these processes at the ALE_AUTH_CONNECT layer for both IPv4 and IPv6. A custom function is used to obtain the application identifier from the filename to bypass potential EDR interceptions.
Changing the hosts file to stop Endpoint Detection and Response (EDR) tools from talking to each other through network connections is not an effective way to get around these tools because it is hard to keep track of all the addresses that are cached and on the list. A more promising approach is configuring a rogue proxy to intercept EDR telemetry.
Setting a system-wide proxy for a running EDR service is difficult because EDR services often run with high privileges and may have server-side specified proxy settings that override local configurations.
Techniques like manipulating environment variables in real-time to enforce the proxy are unreliable due to program-specific logic, remote process modification challenges, and static variable storage.
EDR agents communicate with cloud servers and send telemetry data. For EDR evasion, a rogue proxy approach can be implemented to intercept and manipulate EDR agent communication.
WinDivert, a user-mode packet capture and manipulation driver, can be used to create a transparent proxy, which can filter packets based on pre-defined rules or inspect payloads to identify and block telemetry containing EDR alerts.
However, some EDRs, like Elastic Endpoint, implement countermeasures like trusted certificates, making it difficult to establish a transparent TLS connection, while the lack of consistent packet size patterns for telemetry data makes it impractical to selectively filter packets based on size.
EDRPrison is a tool that improves EDR telemetry silencing by leveraging WinDivert for efficient packet interception and filtering, while EDRSilencer, a previous tool, relies on process manipulation and suffers from potential detection.
EDRPrison retrieves PIDs of EDR processes and correlates them with packets using WinDivert_ADDRESS, eliminating the need for frequent calls to GetExtendedTcpTable.
According to 3NailsInfoSec, it significantly reduces overhead and improves efficiency. By selectively filtering packets based on their originating processes, EDRPrison can block EDR communication while maintaining endpoint functionality.