Executive Summary

The EDRSilencer tool, originally designed for red team operations, has been repurposed by threat actors to bypass endpoint detection and response (EDR) systems. This report delves into the tool's capabilities, its exploitation in real-world scenarios, and the broader implications for cybersecurity defenses. Notably, the tool has been observed in attacks targeting sectors across North America and Europe, emphasizing the need for heightened vigilance and robust security measures.

Technical Information

EDRSilencer is a sophisticated tool that leverages the Windows Filtering Platform (WFP) to obstruct network communication for processes linked to various EDR products. By doing so, it effectively prevents EDR solutions from transmitting telemetry or alerts to their management consoles, thereby complicating the detection and eradication of malware. The tool dynamically identifies active EDR processes and establishes WFP filters to block their outbound communication. This technique allows malware to remain concealed on a system, significantly increasing the likelihood of successful attacks without detection.

The tool's latest iteration is capable of detecting and blocking 16 modern EDR tools, including Microsoft Defender, SentinelOne, FortiEDR, Palo Alto Networks Traps/Cortex XDR, Cisco Secure Endpoint (formerly AMP), ElasticEDR, Carbon Black EDR, and TrendMicro Apex One. This broad compatibility underscores the tool's potential impact on a wide range of security solutions.

Exploitation in the Wild

Threat actors have been observed integrating EDRSilencer into their attack strategies to evade detection. The tool's ability to dynamically identify and block EDR processes has been exploited in various attacks, allowing malware to persist undetected on compromised systems. Indicators of Compromise (IOCs) associated with EDRSilencer include the SHA256 hash 721af117726af1385c08cc6f49a801f3cf3f057d9fd26fcec2749455567888e7 and the detection signature HackTool.Win64.EDRSilencer.REDT.

APT Groups using this vulnerability

While specific Advanced Persistent Threat (APT) groups exploiting EDRSilencer have not been publicly identified, the tool's capabilities make it an attractive option for APTs seeking to evade detection and maintain persistence on targeted systems. The sectors and countries targeted by these groups include critical infrastructure and financial institutions in North America and Europe, highlighting the need for enhanced security measures in these regions.

Affected Product Versions

EDRSilencer affects a wide range of EDR products, including but not limited to Microsoft Defender, SentinelOne, FortiEDR, Palo Alto Networks Traps/Cortex XDR, Cisco Secure Endpoint (formerly AMP), ElasticEDR, Carbon Black EDR, and TrendMicro Apex One. Organizations utilizing these solutions should be particularly vigilant and consider implementing additional security measures to mitigate the risk of exploitation.

Workaround and Mitigation

To mitigate the risk posed by EDRSilencer, organizations should implement a multi-layered security approach. This includes network segmentation to isolate critical systems, defense-in-depth strategies with firewalls, intrusion detection systems, antivirus, and EDR solutions. Enhancing endpoint security with solutions that incorporate behavioral analysis and anomaly detection is also recommended. Application whitelisting can further reduce the risk by allowing only approved applications to run. Continuous monitoring and threat hunting are essential to proactively identify indicators of compromise and advanced persistent threats. Finally, implementing strong access controls and applying the principle of least privilege can help minimize the potential impact of an attack.

References

For further reading and detailed analysis, please refer to the following resources: Trend Micro's report on EDRSilencer, available at https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html, and Bleeping Computer's article on the tool's use in attacks, accessible at https://www.bleepingcomputer.com/news/security/edrsilencer-red-team-tool-used-in-attacks-to-bypass-security/.

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to provide comprehensive threat intelligence and proactive defense strategies. We are here to support you in enhancing your security posture and mitigating risks. Should you have any questions about this report or any other cybersecurity concerns, please do not hesitate to contact us at ops@rescana.com.