Attackers Deploying Red Teaming Tool for EDR Evasion
Summary:
Threat actors are exploiting the open-source EDRSilencer tool to bypass endpoint detection and response systems, according to Trend Micro researchers. Originally designed for red teaming, EDRSilencer leverages the Windows Filtering Platform to block EDR communications by identifying and filtering EDR processes, preventing them from sending alerts or telemetry. EDRSilencer currently targets various EDR products, when processes aren’t pre-coded in the tool, additional rules can be applied to block them.
Threat actors are increasingly using the open-source EDRSilencer tool to evade endpoint detection and response (EDR) systems, as identified by Trend Micro researchers. EDRSilencer, originally designed for red teaming exercises, is now being abused by attackers to “silence” EDR solutions, effectively neutralizing their ability to detect malicious activities.
Security Officer Comments:
EDRSilencer is part of a growing trend where sophisticated EDR evasion tools are being developed and sold on underground marketplaces. For example, the FIN7 group has been selling the AuKill tool to ransomware groups since early 2023. This tool leverages Windows’ TTD Monitor Driver and Process Explorer Driver to crash or “hang” EDR processes, rendering them inoperable.
Suggested Corrections:
Researchers at Trend Micro recommend the following mitigations:
https://www.helpnetsecurity.com/2024/10/15/edr-evasion-edrsilencer/
https://www.trendmicro.com/en_us/re...r-disrupting-endpoint-security-solutions.html
Threat actors are exploiting the open-source EDRSilencer tool to bypass endpoint detection and response systems, according to Trend Micro researchers. Originally designed for red teaming, EDRSilencer leverages the Windows Filtering Platform to block EDR communications by identifying and filtering EDR processes, preventing them from sending alerts or telemetry. EDRSilencer currently targets various EDR products, when processes aren’t pre-coded in the tool, additional rules can be applied to block them.
Threat actors are increasingly using the open-source EDRSilencer tool to evade endpoint detection and response (EDR) systems, as identified by Trend Micro researchers. EDRSilencer, originally designed for red teaming exercises, is now being abused by attackers to “silence” EDR solutions, effectively neutralizing their ability to detect malicious activities.
Security Officer Comments:
EDRSilencer is part of a growing trend where sophisticated EDR evasion tools are being developed and sold on underground marketplaces. For example, the FIN7 group has been selling the AuKill tool to ransomware groups since early 2023. This tool leverages Windows’ TTD Monitor Driver and Process Explorer Driver to crash or “hang” EDR processes, rendering them inoperable.
Suggested Corrections:
Researchers at Trend Micro recommend the following mitigations:
- Implementing multi-layered security controls
- Network segmentation - Isolate critical systems and sensitive data to limit lateral movement
- Defense-in-depth - Use multiple layers of security controls (including firewalls, intrusion detection systems, antivirus, and EDR) to create redundancy.
- Enhancing endpoint security
- Behavioral analysis - Deploy security solutions that use behavioral analysis and anomaly detection to identify unusual activities that might bypass traditional EDR
- Application whitelisting - Only allow approved applications to run, reducing the risk of malicious software execution.
- Conducting continuous monitoring and threat hunting
- Threat hunting - Proactively search for indicators of compromise (IoCs) and advanced persistent threats (APTs) within your network.
- Implementing strong access controls
- Principle of least privilege - Ensure users and applications have the minimum level of access necessary to perform their functions.
https://www.helpnetsecurity.com/2024/10/15/edr-evasion-edrsilencer/
https://www.trendmicro.com/en_us/re...r-disrupting-endpoint-security-solutions.html