EDRSilencer, inspired by the NightHawk FireBlock tool from MDSec, is designed to block the outbound traffic of active EDR processes through the Windows Filtering Platform (WFP).
It is capable of terminating processes linked to EDR products from several companies, including Microsoft, Elastic, Trellix, Qualys, SentinelOne, Cybereason, Broadcom Carbon Black, Tanium, Palo Alto Networks, Fortinet, Cisco, ESET, HarfangLab, and Trend Micro. By incorporating legitimate red teaming tools into their toolkit, attackers aim to render EDR software ineffective and complicate the identification and removal of malware.
"The WFP is a robust framework integrated into Windows for developing network filtering and security applications," Trend Micro researchers noted. "It offers APIs for developers to establish custom rules that monitor, block, or alter network traffic based on various factors, including IP addresses, ports, protocols, and applications."
"WFP is utilized in firewalls, antivirus software, and various security solutions to safeguard systems and networks." EDRSilencer exploits WFP by dynamically identifying active EDR processes and creating persistent WFP filters that block their outbound network communications on both IPv4 and IPv6, thus preventing security software from transmitting telemetry to their management consoles.
The attack operates by scanning the system to compile a list of active processes associated with common EDR products, then executing EDRSilencer with the command "blockedr" (e.g., EDRSilencer.exe blockedr) to restrict outbound traffic from those processes by configuring WFP filters.
"This enables malware and other malicious activities to evade detection, increasing the likelihood of successful attacks without intervention," the researchers explained. "This underscores the ongoing trend of threat actors seeking more effective tools, particularly those aimed at disabling antivirus and EDR solutions."
This development aligns with the rising use of advanced EDR-disabling tools among ransomware groups, including AuKill (also known as AvNeutralizer), EDRKillShifter, TrueSightKiller, GhostDriver, and Terminator, which weaponize vulnerable drivers to escalate privileges and terminate security-related processes.
"EDRKillShifter enhances persistence mechanisms by using techniques that ensure its ongoing presence within the system, even after initial compromises are identified and resolved," Trend Micro stated in a recent analysis.
"It dynamically disrupts security processes in real-time and adjusts its methods as detection capabilities improve, remaining one step ahead of conventional EDR tools."
Credit:TheHackerNews.