itman 1,759 Posted 3 hours ago Share Posted 3 hours ago (edited) Quote Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions Trend Micro's Threat Hunting Team discovered EDRSilencer, a red team tool that threat actors are attempting to abuse for its ability to block EDR traffic and conceal malicious activity. Summary The Trend Micro Threat Hunting Team recently discovered EDRSilencer, a red team tool originally designed to interfere with endpoint detection and response solutions via the Windows Filtering Platform. However, our internal telemetry showed threat actors attempting to integrate EDRSilencer in their attacks, repurposing it as a means of evading detection. EDRSilencer disrupts the transmission of telemetry or alerts to EDR management consoles, which complicates the identification and removal of malware. The tool dynamically identifies any running EDR processes and creates WFP filters to block their outbound communication. During testing, it was also found to block communication for processes not included in its hardcoded list, further demonstrating its effectiveness. Red team tools, which identify and address weaknesses in an organization’s security infrastructure, are crucial to the improvement of its overall security posture. However, threat actors are continuously finding ways to repurpose these tools for malicious purposes. Recently, the Trend Micro Threat Hunting Team discovered EDRSilencer, a red team tool that is able to interfere with endpoint detection and response (EDR) solutions by leveraging the Windows Filtering Platform (WFP). According to the author of this tool, it was inspired by the closed-source tool FireBlock by MdSec NightHawk. EDRs are security tools that monitor endpoints like computers for signs of malicious activity. EDRSilencer is designed to block network communication for processes associated with various EDR products. This interference can prevent EDR solutions from sending telemetry or alerts to their management consoles, making it significantly harder to identify and remove malware. It is effective in blocking network communication for processes associated with various EDR products (Table 1). The WFP is a powerful framework built into Windows for creating network filtering and security applications. It provides APIs for developers to define custom rules to monitor, block, or modify network traffic based on various criteria, such as IP addresses, ports, protocols, and applications. WFP is used in firewalls, antivirus software, and other security solutions to protect systems and networks. However, this tool demonstrates a technique that can be used by adversaries to evade detection: By blocking EDR traffic, malware could potentially remain hidden on a system, making it harder to identify and remove. Understanding how this code works is crucial for defenders to develop effective countermeasures. EDR Product Process Carbon Black Cloud RepMgr.exe, RepUtils.exe, RepUx.exe, RepWAV.exe, RepWSC.exe Carbon Black EDR cb.exe Cisco Secure Endpoint (Formerly Cisco AMP) sfc.exe Cybereason AmSvc.exe, CrAmTray.exe, CrsSvc.exe, ExecutionPreventionSvc.exe, CybereasonAV.exe Cylance CylanceSvc.exe Elastic EDR winlogbeat.exe, elastic-agent.exe, elastic-endpoint.exe, filebeat.exe ESET Inspect EIConnector.exe, ekrn.exe FortiEDR fortiedr.exe Harfanglab EDR hurukai.exe Microsoft Defender for Endpoint and Microsoft Defender Antivirus MsMpEng.exe, MsSense.exe, SenseIR.exe, SenseNdr.exe, SenseCncProxy.exe, SenseSampleUploader.exe Palo Alto Networks Traps/Cortex XDR Traps.exe, cyserver.exe, CyveraService.exe, CyvrFsFlt.exe Qualys EDR QualysAgent.exe SentinelOne SentinelAgent.exe, SentinelAgentWorker.exe, SentinelServiceHost.exe, SentinelStaticEngine.exe, LogProcessorService.exe, SentinelStaticEngineScanner.exe, SentinelHelperService.exe, SentinelBrowserNativeHost.exe Tanium TaniumClient.exe, TaniumCX.exe, TaniumDetectEngine.exe Trellix EDR xagt.exe TrendMicro Apex One CETASvc.exe, WSCommunicator.exe, EndpointBasecamp.exe, TmListen.exe, Ntrtscan.exe, TmWSCSvc.exe, PccNTMon.exe, TMBMSRV.exe, CNTAoSMgr.exe, TmCCSF.exe Table 1. List of executable names associated with common EDR products terminated by EDRSilencer. https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html Edited 3 hours ago by itman Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,300 Posted 3 hours ago Administrators Share Posted 3 hours ago Thanks, will read through it and also discuss with colleagues. Anyways, ESET XDR can work autonomously offline without connection to other servers so it does not sound to me like a 100% effective bypass at first in case EI was configured to evaluate rules on clients. Moreover, there must be other steps that precede execution which would have been probably detected and blocked before the tool in question could run in a real-world scenario if we don't assume the attacker would have direct physical access to the machine. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.