Attackers deploying red teaming tool for EDR evasion
Threat actors are leveraging the open-source EDRSilencer tool to evade endpoint detection and response systems, Trend Micro researchers have noticed.
About EDRSilencer
The software, which is intended for red teaming, is being abused to “silence” EDR solutions.
It works by leveraging the Windows Filtering Platform (WFP), which allows the creation of custom rules to monitor, block, and modify network traffic.
“The code leverages WFP [Windows Filtering Platform] by dynamically identifying running EDR processes and creating WFP filters to block their outbound network communications on both the internet protocols IPv4 and IPv6, effectively preventing EDRs from sending telemetry or alerts to their management consoles,” the researchers explained.
How EDRSilencer operates (Source: Trend Micro)
It currently detects processes by a wide variety of EDR products: Carbon Black EDR, Cybereason, ESET Inspect, SentinelOne, Trellix EDR, Microsoft Defender for Endpoint and Microsoft Defender Antivirus, Tanium, TrendMicro Apex One, and others.
Trend Micro researchers also found that when some processes aren’t hardcoded in the tool’s list, they can be blocked with additional rules.
The rise of EDR evasion tools
FIN7 has been selling AvNeutralizer (aka AuKill) to multiple ransomware groups since early 2023. The tool uses Windows’ TTD Monitor Driver and the (Sysinternals) Process Explorer driver to”hang” or crash protected EDR processes.
The RansomHub RaaS has been using the EDRKillShifter and a variety of RaaS actors have been leveraging PoorTry (aka BurntCigar), a driver targeting security products for termination.
Qilin ransomware attackers have been leveraging “Killer Ultra”, which uses a vulnerable Zemana driver to terminate EDR and antivirus processes.
The mechanisms employed by the various tools may differ but the effect is the same: endpoint security solutions are prevented from functioning as they should.
“EDR evasion tools are typically sold as subscription services, starting as low as $350 per month or $300 for a single bypass. The low price point makes these tools highly accessible to ransomware affiliates and other threat actors, including those with lower levels of technical proficiency,” ExtraHop researchers shared.
“On the higher end, ExtraHop noticed several recent listings where threat actors priced their EDR bypass offerings for $7,500–and as high as $10,000 for a listing that packaged EDR evasion capabilities within an encryption locker.”
Organizations should employ advanced detection mechanisms and threat hunting strategies to counteract EDR-killing tools, Trend Micro researchers advised.
Intel471 researchers have recently delineated how to hunt for EDRKillshifter, and ConnectWise Cyber Research has shared advice on protecting organizations against BYOVD-based tools.