The Trend Micro Threat Hunting Team has identified an alarming new trend in cyber attacks: malefactors are adopting EDRSilencer, a red team tool designed to interfere with endpoint detection and response (EDR) systems.
Originally developed as a tool for security professionals, EDRSilencer has been repurposed by malicious actors to block EDR communications, helping them slip through the security nets,
A Red Team Tool Turned Dangerous
The tool works by disrupting the transmission of telemetry and alerts from EDR systems to their management consoles, thus hindering the identification and removal of malware.
Leveraging the Windows Filtering Platform (WFP), the tool dynamically identifies active EDR processes on a system and then creates filters to block their outbound communications. This approach is capable of obstructing EDR solutions from reporting potential threats, rendering them effectively blind.
Moreover, during testing, EDRSilencer was found to block other processes not on its initial target list, indicating a broad and flexible effectiveness.
How EDRSilencer Operates
EDRSilencer’s use of the WFP framework—a component of Windows that allows developers to define custom rules for network filtering—shows a clever misuse of legitimate tools for malicious purposes. By blocking traffic associated with EDR processes, attackers can prevent security tools from sending telemetry data or alerts, allowing threats to persist undetected.
The tool’s command-line interface provides attackers with various options for blocking EDR traffic. Options include:
- blockedr: Automatically block traffic from detected EDR processes.
- block <path>: Block traffic from a specified process.
- unblockall: Remove all WFP filters created by the tool.
- unblock <filter id>: Remove a specific filter by ID.
The Attack Chain: From Process Discovery to Impact
The typical attack chain here begins with a process discovery phase, where the tool compiles a list of running processes associated with known EDR products. The attacker then deploys EDRSilencer to block communications either broadly across all detected processes or selectively by specific process paths.
Following privilege escalation, the tool configures WFP filters to block outbound communications for both IPv4 and IPv6 traffic. These filters are persistent, remaining active even after a system reboot.
Once EDR communications are blocked, the bad actor is free to execute malicious payloads with less risk of detection. During Trend Micro’s own testing, it was observed that EDRSilencer could effectively prevent endpoint activity logs from reaching management consoles, allowing attacks to remain concealed.
Implications and Security Recommendations
Trend Micro’s discovery spotlights a growing trend of cybercriminals repurposing legitimate red team tools for malicious use. With EDR capabilities disabled, entities are left vulnerable to more extensive damage from ransomware and other forms of malware.
To defend against tools like EDRSilencer, Trend Micro recommends the following:
- Multi-layered Security Controls: Employ network segmentation to limit lateral movement and leverage defense-in-depth strategies combining firewalls, intrusion detection, antivirus, and EDR solutions.
- Enhanced Endpoint Security: Use behavioral analysis and application whitelisting to detect unusual activities and limit the execution of unauthorized software.
- Continuous Monitoring and Threat Hunting: Proactively search for indicators of compromise (IoCs) and advanced persistent threats (APTs).
- Strict Access Controls: Implement the principle of least privilege to restrict access to sensitive areas of the network.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.