Hackers Exploit EDRSilencer to Evade Security

Trend Micro has identified that cyber attackers are attempting to use the open-source tool EDRSilencer in their operations. They’re repurposing it to avoid being spotted by security systems.

You might be interested in: 7 Data Breach Disasters โ€“ Lessons for Cybersecurity Awareness Month

What is EDRSilencer?

EDRSilencer is inspired by MDSec’s NightHawk FireBlock tool. It’s designed to block outgoing network traffic from active Endpoint Detection and Response (EDR) processes by using the Windows Filtering Platform (WFP).

How EDRSilencer Affects Security Products

The tool can shut down various processes associated with EDR products from companies like Microsoft, Elastic, Trellix, Qualys, SentinelOne, Cybereason, Carbon Black, Tanium, Palo Alto Networks, Fortinet, Cisco, ESET, HarfangLab, and Trend Micro. This makes it much harder to detect and remove malware.

Using the Windows Filtering Platform to Block EDR Communications

According to Trend Micro researchers, the Windows Filtering Platform is a powerful framework built into Windows for creating network filtering and security applications. It allows developers to set up custom rules to monitor, block, or change network traffic based on factors like IP addresses, ports, protocols, and applications. WFP is commonly used in firewalls, antivirus software, and other security solutions.

By leveraging WFP, EDRSilencer can dynamically find running EDR processes and set up persistent filters to block their outgoing network communications on both IPv4 and IPv6. This stops security products from sending telemetry data to their management panels.

How Attackers Execute the Attack

The attack involves scanning the system to gather a list of running processes linked with common EDR products. Then, EDRSilencer is run with the input “blockedr” (for example, EDRSilencer.exe blockedr) to prevent outbound traffic from those processes by setting up WFP filters.

“This allows malware or other malicious activities to remain undetected, increasing the potential for successful attacks without detection or intervention,” the researchers explained. “This highlights the ongoing trend of threat actors seeking more effective tools for their attacks, especially those designed to disable antivirus and EDR solutions.”

Rising Trend of Tools That Disable EDR Software

This development comes as ransomware groups are increasingly using powerful tools that disable EDR software, such as AuKill (also known as AvNeutralizer), EDRKillShifter, TrueSightKiller, GhostDriver, and Terminator. These programs exploit vulnerable drivers to gain higher privileges and shut down security-related processes.

“EDRKillShifter enhances persistence mechanisms by employing techniques that ensure its continuous presence within the system, even after initial compromises are discovered and cleaned,” Trend Micro noted in a recent study. “It dynamically disrupts security processes in real-time and adapts its methods as detection capabilities evolve, staying a step ahead of traditional EDR tools.”