A red-team tool named EDRSilencer has been observed being used in malicious incidents to identify and disable security tools, preventing alerts from reaching management consoles, researchers at Trend Micro reported.
Attackers have been attempting to integrate this tool to evade detection by security solutions.
EDRSilencer, an open-source tool inspired by MdSec NightHawk’s proprietary FireBlock, specifically targets endpoint detection and response (EDR) solutions. These tools are used to monitor and protect devices from cyber threats, identifying both known and novel risks and sending detailed alerts to defenders. By interfering with the flow of these alerts, EDRSilencer makes it significantly more challenging for organisations to detect and respond to potential cyberattacks, as per the researchers.
The tool operates by detecting active EDR processes and leveraging the Windows Filtering Platform (WFP) to control, block, or alter network traffic. WFP, a core feature of Windows, is typically used by security applications like firewalls and antivirus programmes. With customised filtering rules, EDRSilencer can disrupt communication between the EDR software and its management server, effectively muting critical alerts. This capability makes it particularly effective in evading detection by traditional security measures, as the disruption prevents the generation of real-time alerts that are crucial for immediate response.
How EDRSilencer utilises Windows filtering platform
Researchers at Trend Micro stated that during tests, EDRSilencer blocked communication for processes not included in its hardcoded list, demonstrating its broad capabilities. Attackers can also add specific processes to the filtering rules by specifying file paths, expanding the range of security solutions that can be muted.
“After identifying and blocking additional processes not included in the hardcoded list, the EDR tools failed to send logs, confirming the tool’s effectiveness,” Trend Micro stated. This flexibility means that attackers can adapt EDRSilencer to target a wide range of EDR products, making it a versatile tool in their arsenal.
The use of EDRSilencer highlights the continued repurposing of red-team tools for malicious purposes. While such tools are intended to help organisations improve their cybersecurity by testing defences, threat actors often exploit them to evade detection. The interference caused by EDRSilencer prevents EDR solutions from sending telemetry and alerts, increasing the potential for successful attacks to go undetected. This demonstrates the dual-use nature of many cybersecurity tools, which, while beneficial for defensive purposes, can also be used to undermine security when in the wrong hands.
Trend Micro recommended a multi-layered approach to counter EDRSilencer, including treating the tool as malware to prevent its deployment, implementing behavioural analysis and anomaly detection, and isolating critical systems to create redundancy. Multi-layered security measures are vital in ensuring that even if one layer is bypassed, other defences are still active. The cybersecurity software firm also advised enforcing the principle of least privilege to limit the reach of any successful breach, which is particularly important in preventing attackers from gaining access to critical systems and data.
Researchers emphasised that detecting and neutralising tools like EDRSilencer requires constant vigilance and adaptation. Security teams must stay informed about emerging threats and continuously update their defensive measures to counteract new tactics used by adversaries.
Proactive threat hunting and monitoring for indicators of compromise are crucial for early detection of such threats, said the researchers. Implementing solutions that incorporate behavioural analysis can also help in identifying unusual patterns of activity that might indicate the presence of tools like EDRSilencer.
Researchers concluded that using tools like EDRSilencer significantly enhances the ability of malware to remain hidden, making it harder for cybersecurity teams to effectively respond. The findings stress the importance of monitoring for indicators of compromise and maintaining comprehensive security measures.