security threat

Threat actors are increasingly using the open-source tool EDRSilencer to bypass endpoint detection and response (EDR) systems. EDRSilencer, originally designed for red teaming, silences EDR solutions by utilizing the Windows Filtering Platform (WFP) to block outbound network communications of EDR processes. It detects processes from various EDR products, including Carbon Black EDR, Cybereason, ESET Inspect, SentinelOne, Microsoft Defender, and others. Additional rules can be implemented to block processes not explicitly listed in the tool. The landscape of EDR evasion tools has expanded, with groups like FIN7 marketing AvNeutralizer to ransomware factions. Other tools include EDRKillShifter and PoorTry, which target and terminate security products. These tools are often sold as subscription services, making them accessible to threat actors with varying technical skills. Prices for these tools range from [openai_gpt model="gpt-4o-mini" prompt="Summarize the content and extract only the fact described in the text bellow. The summary shall NOT include a title, introduction and conclusion. Text: Threat actors are increasingly turning to the open-source tool EDRSilencer as a means to bypass endpoint detection and response (EDR) systems, according to recent findings from Trend Micro researchers. About EDRSilencer This software, originally designed for red teaming exercises, is now being misused to effectively “silence” EDR solutions. EDRSilencer operates by utilizing the Windows Filtering Platform (WFP), which enables the creation of tailored rules to monitor, block, and modify network traffic. As explained by the researchers, “The code leverages WFP by dynamically identifying running EDR processes and creating WFP filters to block their outbound network communications on both the internet protocols IPv4 and IPv6, effectively preventing EDRs from sending telemetry or alerts to their management consoles.” EDRSilencer currently detects processes from a wide range of EDR products, including: Carbon Black EDR Cybereason ESET Inspect SentinelOne Trellix EDR Microsoft Defender for Endpoint Microsoft Defender Antivirus Tanium TrendMicro Apex One And others Moreover, Trend Micro researchers noted that when certain processes are not explicitly listed within the tool, they can still be blocked by implementing additional rules. The Rise of EDR Evasion Tools The landscape of EDR evasion tools has expanded significantly, with groups like FIN7 marketing AvNeutralizer (also known as AuKill) to various ransomware factions since early 2023. This tool employs Windows’ TTD Monitor Driver and the Sysinternals Process Explorer driver to disrupt or crash protected EDR processes. RansomHub RaaS has been utilizing EDRKillShifter, while other RaaS actors have adopted PoorTry (also referred to as BurntCigar), a driver specifically designed to target and terminate security products. Additionally, Qilin ransomware attackers have been using “Killer Ultra,” which exploits a vulnerable Zemana driver to disable EDR and antivirus processes. Despite the differing mechanisms of these tools, the outcome remains consistent: endpoint security solutions are rendered ineffective. According to ExtraHop researchers, “EDR evasion tools are typically sold as subscription services, starting as low as 0 per month or 0 for a single bypass. The low price point makes these tools highly accessible to ransomware affiliates and other threat actors, including those with lower levels of technical proficiency.” On the higher end, some listings have been observed priced at ,500, and even as high as ,000 for packages that include EDR evasion capabilities alongside encryption lockers. In light of these developments, Trend Micro researchers recommend that organizations implement advanced detection mechanisms and proactive threat hunting strategies to mitigate the risks posed by EDR-killing tools. Additionally, Intel471 researchers have recently outlined methods for tracking EDRKillshifter, while ConnectWise Cyber Research has provided guidance on safeguarding organizations against BYOVD-based tools." max_tokens="3500" temperature="0.3" top_p="1.0" best_of="1" presence_penalty="0.1" frequency_penalty="frequency_penalty"] per month to ,500 or more for comprehensive packages. Trend Micro researchers recommend advanced detection mechanisms and proactive threat hunting strategies to mitigate risks from EDR-killing tools.