Hackers Abuse EDRSilencer Red Team Tool To Evade Detection


EDRSilencer is a tool designed to enhance data privacy and security by “silencing” or “blocking” unwanted data transmissions from endpoints.

The tool is likely used in conjunction with EDR systems to improve overall cybersecurity measures and also provide an additional layer of protection against “data leaks.”

SIEM as a Service

Trend Micro’s Threat Hunting Team recently found that hackers have been actively abusing the “EDRSilencer” red team tool to evade detection.

EDRSilencer is a recently discovered red team tool that was found exploiting the “WFP” to interfere with “EDR” solutions.

Analyse Any Suspicious Files With ANY.RUN: Intergarte With You Security Team -> Try for Free

EDRs are security tools that monitor computers for malicious activity. This tool can block network communication for various EDR processes by preventing them from sending “alerts” or “telemetry” to management consoles.

It works by dynamically identifying running “EDR processes” and creating “WFP filters” to block their outbound network communications on both “IPv4” and “IPv6.”

These filters persist even after “system reboots.” EDRSilencer offers a “command-line interface” with options to block all detected “EDR processes,” “block specific processes,” or “remove filters.” This effectively showed how threat actors could use this technique to evade detection.

While this highlights the ongoing challenge in cybersecurity where tools that are designed to improve security can be “repurposed” for malicious intent, reads Trend Micro report.

Attack chain of EDRSilencer (Source – Trend Micro)

Highlighting the need for continuous adaptation of “defense strategies.”

EDRSilencer operates through a “multi-step process”:-

  • First, it discovers running EDR processes on the target system.
  • Then, it executes by blocking network traffic from these processes using WFP filters.

These filters are applied persistently which helps in surviving system reboots. EDRSilencer can block all detected “EDR processes” or “target specific ones” by their “file paths.”

The EDRSilencer effectively blinds these security systems by preventing EDR tools from sending “telemetry,” “alerts,” and “logs” to their management consoles.

This allows malware and other malicious activities to operate “undetected.”

Testing revealed that while some “EDR processes” initially maintained communication, but blocking additional “undocumented processes” confirmed the tool’s effectiveness.

Recommendations

Here below we have mentioned all the recommendations:-

  • Implement multi-layered security controls.
  • Make sure to enhance endpoint security.
  • Conduct continuous monitoring and threat hunting.
  • Implement strong access controls.

How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)



Source link