Threat actors are using the open-source EDRSilencer tool to compromise endpoint detection and response (EDR) solutions and conceal malicious activities.
Trend Micro has identified instances of “threat actors trying to incorporate EDRSilencer into their attacks, repurposing it to avoid detection.”
EDRSilencer is a tool inspired by NightHawk FireBlock from MDSec, designed to block outbound traffic of active EDR processes using the Windows Filtering Platform (WFP).
It is capable of terminating various processes associated with EDR products from companies like Microsoft, Elastic, Trellix, Qualys, SentinelOne, Cybereason, Broadcom Carbon Black, Tanium, Palo Alto Networks, Fortinet, Cisco, ESET, HarfangLab, and Trend Micro.
By including such legitimate red teaming tools in their tactics, threat actors aim to render EDR software ineffective, making it harder to identify and remove malware.
“The WFP is a powerful framework in Windows that allows the creation of network filtering and security applications,” explained Trend Micro researchers. “It offers APIs for developers to define custom rules for monitoring, blocking, or modifying network traffic based on different criteria such as IP addresses, ports, protocols, and applications.”
“WFP is commonly used in firewalls, antivirus software, and other security solutions to safeguard systems and networks.”
EDRSilencer utilizes WFP to identify running EDR processes dynamically and establish persistent WFP filters to halt their outbound network communications, preventing security software from sending data to management consoles.
The attack method involves scanning the system for running processes linked to common EDR products, followed by executing EDRSilencer with the “blockedr” argument (e.g., EDRSilencer.exe blockedr) to obstruct outbound traffic from those processes by configuring WFP filters.
“This enables malware or malicious activities to go undetected, increasing the likelihood of successful attacks without detection or intervention,” noted the researchers. “This highlights the trend of threat actors seeking more efficient tools for their attacks, especially those aimed at disabling antivirus and EDR solutions.”
This development coincides with ransomware groups using potent EDR-disabling tools such as AuKill (aka AvNeutralizer), EDRKillShifter, TrueSightKiller, GhostDriver, and Terminator, leveraging vulnerable drivers to elevate privileges and terminate security processes.
“EDRKillShifter boosts persistence mechanisms by employing techniques to ensure continuous presence in the system, even after initial compromises are detected and removed,” as per Trend Micro’s recent analysis.
“It disrupts security processes dynamically in real-time and adjusts its methods to evade detection capabilities, staying ahead of traditional EDR tools.”