HQ/EMEAFind out how we can help your business
Threat actors use the red-teaming tool EDRSilencer to identify security tools and silence their alarms to management interfaces. The researchers explained that these attackers are trying to leverage the tool’s functionality to avoid detection.
Endpoint Detection and Response (EDR) products use security solutions to monitor and protect devices against cyber threats. These solutions use analytics and regularly update information to uncover known and unknown threats, respond automatically, and provide a complete report on the newly identified threat origin, impact, and distribution process.
EDRSilencer is an open-source application that detects ongoing EDR processes and uses Windows Filtering Platform (WFP) to monitor, block, or change network traffic using IPv4 and IPv6 communication protocols.
Researchers commonly utilise WFP in security products such as firewalls, AVs, and other security solutions, and the filters placed on the platform are permanent. Hence, a malicious entity could also utilise such capabilities to disrupt the constant data interchange between an EDR tool and its management server by implementing new rules, preventing alerts and comprehensive telemetry reports from being delivered.
The EDRSilencer currently detects and prevents about 16 contemporary EDR tools.
Investigations suggest that the impacted EDR tools of this new EDRSilencer campaign may still be able to send reports since one or more of their executables are not on the red team tool’s hardcoded list.
Still, EDRSilencer can allow attackers to add filters for specific processes by specifying file paths, enabling them to expand the list of targeted programs to include a variety of security tools. In addition, the EDR solution failed to send logs after finding and blocking other processes that were not on the hardcoded list, proving the tool’s efficiency.
The researchers claim that this allows malware or other malicious behaviours to go undetected, increasing the chances of successful attacks without raising suspicions or discovery.
Researchers recommend that organisations implement multi-layered security controls to isolate critical systems and create redundancy, using security solutions that provide behavioural analysis and anomaly detection. Other solutions should be used to monitor the network for indicators of compromise and prioritise properties with the most important privileges.
