Threat Actors Exploit EDRSilencer to Evade Detection
In a concerning development within the cybersecurity landscape, threat actors are increasingly leveraging the open-source tool EDRSilencer to undermine endpoint detection and response (EDR) solutions. Trend Micro has reported a notable uptick in attempts to integrate EDRSilencer into malicious attacks, effectively repurposing it to evade detection mechanisms.
EDRSilencer, which draws inspiration from MDSec’s NightHawk FireBlock tool, is engineered to obstruct outbound traffic from active EDR processes by utilizing the Windows Filtering Platform (WFP). This tool is capable of terminating processes associated with a variety of EDR products, including those from industry leaders such as Microsoft, Elastic, Trellix, Qualys, and many others.
By incorporating legitimate red teaming tools like EDRSilencer, malicious actors aim to render EDR software ineffective, complicating the identification and removal of malware. Trend Micro researchers emphasized the significance of WFP, noting that it is a robust framework embedded in Windows for developing network filtering and security applications. WFP provides developers with APIs to establish custom rules that monitor, block, or modify network traffic based on diverse criteria, including IP addresses and protocols.
EDRSilencer exploits WFP by dynamically identifying active EDR processes and establishing persistent filters that inhibit their outbound communications over both IPv4 and IPv6. This manipulation prevents security software from transmitting telemetry data back to their management consoles, thereby allowing malicious activities to proceed undetected.
The process begins with a system scan to compile a list of running processes linked to common EDR products. Subsequently, EDRSilencer is executed with the “blockedr” argument (for example, EDRSilencer.exe blockedr), effectively configuring WFP filters to obstruct outbound traffic from these processes. This tactic significantly enhances the likelihood of successful attacks without detection or intervention.
Moreover, this trend underscores the ongoing evolution of threat actors who are continuously seeking more effective tools to disable antivirus and EDR solutions. The rise of ransomware groups utilizing advanced EDR-killing tools such as AuKill, EDRKillShifter, and others further complicates the landscape. These programs exploit vulnerable drivers to escalate privileges and terminate security-related processes, showcasing a sophisticated approach to evading detection.
Trend Micro’s analysis highlights that EDRKillShifter, for instance, employs advanced persistence mechanisms that ensure its continuous presence within a system, even after initial compromises are addressed. It dynamically disrupts security processes in real-time and adapts its methods in response to evolving detection capabilities, maintaining an edge over traditional EDR tools.
As the cybersecurity realm grapples with these emerging threats, the necessity for robust and adaptive security measures becomes increasingly evident.
