Eset Inspect Bypassed

[itman 1,759]

Quote

Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions

Trend Micro's Threat Hunting Team discovered EDRSilencer, a red team tool that threat actors are attempting to abuse for its ability to block EDR traffic and conceal malicious activity.

Summary

• The Trend Micro Threat Hunting Team recently discovered EDRSilencer, a red team tool originally designed to interfere with endpoint detection and response solutions via the Windows Filtering Platform.
• However, our internal telemetry showed threat actors attempting to integrate EDRSilencer in their attacks, repurposing it as a means of evading detection.
• EDRSilencer disrupts the transmission of telemetry or alerts to EDR management consoles, which complicates the identification and removal of malware.
• The tool dynamically identifies any running EDR processes and creates WFP filters to block their outbound communication.
• During testing, it was also found to block communication for processes not included in its hardcoded list, further demonstrating its effectiveness.

Red team tools, which identify and address weaknesses in an organization’s security infrastructure, are crucial to the improvement of its overall security posture. However, threat actors are continuously finding ways to repurpose these tools for malicious purposes. Recently, the Trend Micro Threat Hunting Team discovered EDRSilencer, a red team tool that is able to interfere with endpoint detection and response (EDR) solutions by leveraging the Windows Filtering Platform (WFP). According to the author of this tool, it was inspired by the closed-source tool FireBlock by MdSec NightHawk.

EDRs are security tools that monitor endpoints like computers for signs of malicious activity. EDRSilencer is designed to block network communication for processes associated with various EDR products. This interference can prevent EDR solutions from sending telemetry or alerts to their management consoles, making it significantly harder to identify and remove malware. It is effective in blocking network communication for processes associated with various EDR products (Table 1).

The WFP is a powerful framework built into Windows for creating network filtering and security applications. It provides APIs for developers to define custom rules to monitor, block, or modify network traffic based on various criteria, such as IP addresses, ports, protocols, and applications. WFP is used in firewalls, antivirus software, and other security solutions to protect systems and networks.

However, this tool demonstrates a technique that can be used by adversaries to evade detection: By blocking EDR traffic, malware could potentially remain hidden on a system, making it harder to identify and remove. Understanding how this code works is crucial for defenders to develop effective countermeasures.

EDR Product	Process
Carbon Black Cloud	RepMgr.exe, RepUtils.exe, RepUx.exe, RepWAV.exe, RepWSC.exe
Carbon Black EDR	cb.exe
Cisco Secure Endpoint (Formerly Cisco AMP)	sfc.exe
Cybereason	AmSvc.exe, CrAmTray.exe, CrsSvc.exe, ExecutionPreventionSvc.exe, CybereasonAV.exe
Cylance	CylanceSvc.exe
Elastic EDR	winlogbeat.exe, elastic-agent.exe, elastic-endpoint.exe, filebeat.exe
ESET Inspect	EIConnector.exe, ekrn.exe
FortiEDR	fortiedr.exe
Harfanglab EDR	hurukai.exe
Microsoft Defender for Endpoint and Microsoft Defender Antivirus	MsMpEng.exe, MsSense.exe, SenseIR.exe, SenseNdr.exe, SenseCncProxy.exe, SenseSampleUploader.exe
Palo Alto Networks Traps/Cortex XDR	Traps.exe, cyserver.exe, CyveraService.exe, CyvrFsFlt.exe
Qualys EDR	QualysAgent.exe
SentinelOne	SentinelAgent.exe, SentinelAgentWorker.exe, SentinelServiceHost.exe, SentinelStaticEngine.exe, LogProcessorService.exe, SentinelStaticEngineScanner.exe, SentinelHelperService.exe, SentinelBrowserNativeHost.exe
Tanium	TaniumClient.exe, TaniumCX.exe, TaniumDetectEngine.exe
Trellix EDR	xagt.exe
TrendMicro Apex One	CETASvc.exe, WSCommunicator.exe, EndpointBasecamp.exe, TmListen.exe, Ntrtscan.exe, TmWSCSvc.exe, PccNTMon.exe, TMBMSRV.exe, CNTAoSMgr.exe, TmCCSF.exe

Table 1. List of executable names associated with common EDR products terminated by EDRSilencer.

 

https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html

 

 

Edited 3 hours ago by itman

[Marcos 5,300]

Thanks, will read through it and also discuss with colleagues. Anyways, ESET XDR can work autonomously offline without connection to other servers so it does not sound to me like a 100% effective bypass at first in case EI was configured to evaluate rules on clients. Moreover, there must be other steps that precede execution which would have been probably detected and blocked before the tool in question could run in a real-world scenario if we don't assume the attacker would have direct physical access to the machine.