Risk actors try to abuse the open-source EDRSilencer software as a part of efforts to tamper endpoint detection and response (EDR) options and conceal malicious exercise.
Development Micro stated it detected “threat actors attempting to integrate EDRSilencer in their attacks, repurposing it as a means of evading detection.”
EDRSilencer, impressed by the NightHawk FireBlock software from MDSec, is designed to dam outbound visitors of operating EDR processes utilizing the Home windows Filtering Platform (WFP).
It helps terminating varied processes associated to EDR merchandise from Microsoft, Elastic, Trellix, Qualys, SentinelOne, Cybereason, Broadcom Carbon Black, Tanium, Palo Alto Networks, Fortinet, Cisco, ESET, HarfangLab, and Development Micro.
By incorporating such professional pink teaming instruments into their arsenal, the objective is to render EDR software program ineffective and make it much more difficult to determine and take away malware.
“The WFP is a powerful framework built into Windows for creating network filtering and security applications,” Development Micro researchers stated. “It provides APIs for developers to define custom rules to monitor, block, or modify network traffic based on various criteria, such as IP addresses, ports, protocols, and applications.”
“WFP is used in firewalls, antivirus software, and other security solutions to protect systems and networks.”
EDRSilencer takes benefit of WFP by dynamically figuring out operating EDR processes and creating persistent WFP filters to dam their outbound community communications on each IPv4 and IPv6, thereby stopping safety software program from sending telemetry to their administration consoles.
The assault basically works by scanning the system to assemble an inventory of operating processes related to frequent EDR merchandise, adopted by operating EDRSilencer with the argument “blockedr” (e.g., EDRSilencer.exe blockedr) to inhibit outbound visitors from these processes by configuring WFP filters.
“This allows malware or other malicious activities to remain undetected, increasing the potential for successful attacks without detection or intervention,” the researchers stated. “This highlights the ongoing trend of threat actors seeking more effective tools for their attacks, especially those designed to disable antivirus and EDR solutions.”
The event comes as ransomware teams’ use of formidable EDR-killing instruments like AuKill (aka AvNeutralizer), EDRKillShifter, TrueSightKiller, GhostDriver, and Terminator is on the rise, with these applications weaponizing weak drivers to escalate privileges and terminate security-related processes.
“EDRKillShifter enhances persistence mechanisms by employing techniques that ensure its continuous presence within the system, even after initial compromises are discovered and cleaned,” Development Micro stated in a latest evaluation.
“It dynamically disrupts security processes in real-time and adapts its methods as detection capabilities evolve, staying a step ahead of traditional EDR tools.”
