Hackers Weaponizing Free Trials of EDR to Disable Existing EDR Protections

A sophisticated attack technique was uncovered where cybercriminals exploit free trials of Endpoint Detection and Response (EDR) software to disable existing security protections on compromised systems. 

This method, dubbed BYOEDR (Bring Your Own EDR), represents a concerning evolution in defense evasion tactics that leverage legitimate security tools as weapons against themselves.

Key Takeaways
1. Attackers use free EDR trials to disable existing security tools.
2. The technique (BYOEDR) is easy, effective, and bypasses protections.
3. Defenders should restrict unauthorized installs and improve validation.

Exploit EDR Trial Programs

The attack technique was first identified by researchers Mike Manrod and Ezra Woods, who discovered that threat actors can obtain free trials of EDR products and use them to neutralize competing security solutions already deployed on target systems. 

In their testing, they demonstrated how Cisco Secure Endpoint (AMP) could be successfully installed and configured to disable both CrowdStrike Falcon and Elastic Defend without triggering alerts or generating telemetry beyond the host going offline.

According to Mike Manrod and Ezra Woods, the technical process involves several critical steps that exploit EDR administrative capabilities. After obtaining local administrator privileges, attackers register for free EDR trials, download the agent installer, and deploy it on the target system. 

They then navigate to the Management > Policies section of the EDR console, access the “Protect” policy for Windows, and systematically remove all exclusions from the Exclusions tab. 

The final step involves identifying the SHA256 hash of the target EDR process and adding it to the “Blocked Application List” through the Outbreak Control > Blocked Application interface.

What makes this technique particularly dangerous is its ability to bypass tamper protection mechanisms that typically prevent unauthorized modification of security software. 

Unlike more complex evasion methods such as BYOVD (Bring Your Own Vulnerable Driver) or DLL-unhooking techniques, BYOEDR presents a lower complexity approach while maintaining high effectiveness.

Mitigations

This attack method emerges against a backdrop of increasing RMM (Remote Management and Monitoring) abuse, with the 2024 CrowdStrike Threat Hunting Report indicating a 70% year-over-year increase in such activities. 

The legitimacy of EDR tools makes them particularly effective for malicious purposes, as they possess valid certificates and trusted status that reduces detection likelihood.

Security experts recommend implementing application control measures, custom IOAs (Indicators of Attack), and application-aware firewalls to block unauthorized RMM and EDR installations.

Additionally, fundamental security practices, including proper network segmentation, host hardening, regular patching, and limiting local administrator privileges, remain crucial defenses.

The research team has called for EDR vendors to strengthen validation processes for free trials and implement safeguards preventing agent hijacking between different tenants of the same product.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches