Threat actors are increasingly turning to the open-source tool EDRSilencer as a means to bypass endpoint detection and response (EDR) systems, according to recent findings from Trend Micro researchers.
About EDRSilencer
This software, originally designed for red teaming exercises, is now being misused to effectively “silence” EDR solutions. EDRSilencer operates by utilizing the Windows Filtering Platform (WFP), which enables the creation of tailored rules to monitor, block, and modify network traffic.
As explained by the researchers, “The code leverages WFP by dynamically identifying running EDR processes and creating WFP filters to block their outbound network communications on both the internet protocols IPv4 and IPv6, effectively preventing EDRs from sending telemetry or alerts to their management consoles.”
EDRSilencer currently detects processes from a wide range of EDR products, including:
- Carbon Black EDR
- Cybereason
- ESET Inspect
- SentinelOne
- Trellix EDR
- Microsoft Defender for Endpoint
- Microsoft Defender Antivirus
- Tanium
- TrendMicro Apex One
- And others
Moreover, Trend Micro researchers noted that when certain processes are not explicitly listed within the tool, they can still be blocked by implementing additional rules.
The Rise of EDR Evasion Tools
The landscape of EDR evasion tools has expanded significantly, with groups like FIN7 marketing AvNeutralizer (also known as AuKill) to various ransomware factions since early 2023. This tool employs Windows’ TTD Monitor Driver and the Sysinternals Process Explorer driver to disrupt or crash protected EDR processes.
RansomHub RaaS has been utilizing EDRKillShifter, while other RaaS actors have adopted PoorTry (also referred to as BurntCigar), a driver specifically designed to target and terminate security products. Additionally, Qilin ransomware attackers have been using “Killer Ultra,” which exploits a vulnerable Zemana driver to disable EDR and antivirus processes.
Despite the differing mechanisms of these tools, the outcome remains consistent: endpoint security solutions are rendered ineffective.
According to ExtraHop researchers, “EDR evasion tools are typically sold as subscription services, starting as low as 0 per month or 0 for a single bypass. The low price point makes these tools highly accessible to ransomware affiliates and other threat actors, including those with lower levels of technical proficiency.” On the higher end, some listings have been observed priced at ,500, and even as high as ,000 for packages that include EDR evasion capabilities alongside encryption lockers.
In light of these developments, Trend Micro researchers recommend that organizations implement advanced detection mechanisms and proactive threat hunting strategies to mitigate the risks posed by EDR-killing tools. Additionally, Intel471 researchers have recently outlined methods for tracking EDRKillshifter, while ConnectWise Cyber Research has provided guidance on safeguarding organizations against BYOVD-based tools.
