EDRSilencer Archives

Tech Optimizer

November 18, 2025

SilentButDeadly: New Tool Blocks Network Traffic to Bypass EDR and Antivirus

A newly released open-source tool called SilentButDeadly, developed by Ryan Framiñán and launched on November 2, 2025, can disable Endpoint Detection and Response (EDR) systems and antivirus software without terminating processes. It exploits the Windows Filtering Platform to sever cloud connectivity for security products, leaving systems vulnerable to attacks. SilentButDeadly operates through a seven-phase execution sequence, starting with verifying administrator privileges, then scanning for active EDR processes like SentinelOne and Windows Defender. It establishes network filters that block communications for these security applications, preventing them from receiving updates or transmitting telemetry data. The tool also attempts to disable EDR services by changing their startup types. SilentButDeadly features dynamic, self-cleaning filters and builds on techniques from EDRSilencer, introducing enhanced operational safety. Organizations using cloud-based threat detection face risks when their security solutions lose connectivity. Security teams are advised to monitor Windows event logs for specific filter creation events and implement real-time monitoring and redundant communication channels for EDR telemetry.

Tech Optimizer

March 31, 2025

Ransomware crews add EDR killers to their arsenal

Antivirus and endpoint security tools are increasingly challenged by ransomware groups that use sophisticated strategies to disable defenses early in attacks. Cisco Talos reported that in nearly half of the ransomware incidents they handled in 2024, attackers successfully employed "EDR killers" to neutralize endpoint detection and response (EDR) systems, achieving success 48 percent of the time. Tools such as EDRSilencer, EDRSandblast, EDRKillShifter, and Terminator pose significant threats to organizational security. EDRKillShifter exploits vulnerable drivers on Windows machines to terminate EDR products, a tactic observed in operations by rival gangs like Medusa, BianLian, and Play. The primary goal of these tools is to disable EDR protections, allowing attackers to operate undetected, complicating system recovery efforts. Recovery often requires wiping and rebuilding entire networks if robust backups are available. Some EDR killers, like HRSword, are legitimate software tools misused by ransomware actors to disable endpoint protection systems. Attackers have exploited misconfigured systems, particularly EDR products set to audit-only mode, which detect but do not block malicious activity. LockBit has remained the most active ransomware-as-a-service group for the third consecutive year, accounting for 16 percent of claimed attacks in 2024. Newcomer RansomHub secured the second position with 11 percent of posts to leak sites. The effectiveness of law enforcement actions plays a significant role in shaping the ransomware landscape.

Tech Optimizer

October 18, 2024

Hackers Abuse EDRSilencer Tool to Bypass Security and Hide Malicious Activity

Threat actors are increasingly using the open-source tool EDRSilencer to evade endpoint detection and response (EDR) solutions. EDRSilencer, inspired by MDSec's NightHawk FireBlock, obstructs outbound traffic from active EDR processes by utilizing the Windows Filtering Platform (WFP). It can terminate processes associated with various EDR products, including those from Microsoft, Elastic, Trellix, and Qualys. By employing EDRSilencer, malicious actors aim to render EDR software ineffective, complicating malware identification and removal. The tool dynamically identifies active EDR processes and establishes persistent filters to inhibit their outbound communications, preventing security software from transmitting telemetry data. This tactic enhances the likelihood of successful attacks without detection. Additionally, ransomware groups are utilizing advanced EDR-killing tools like AuKill and EDRKillShifter, which exploit vulnerable drivers to escalate privileges and terminate security processes, showcasing a sophisticated approach to evading detection. EDRKillShifter employs advanced persistence mechanisms to maintain its presence within a system and disrupt security processes in real-time.