Source: www.csoonline.com – Author:
News Analysis
16 Oct 20244 mins
Endpoint ProtectionMalwareNetwork Security
Red team tool EDRSilencer has been used by hackers to make the Windows Filtering Platform block a long list of EDR products from communicating with their management consoles and reporting malware detections.
Attackers have weaponized yet another tool developed for penetration testing and red team exercises to enhance their attacks. The tool, dubbed EDRSilencer, leverages the Windows Filtering Platform (WFP) to block the network communication of EDR software agents, preventing them from sending telemetry or alerts back to the management consoles monitored by security teams.
“This tool demonstrates a technique that can be used by adversaries to evade detection: By blocking EDR traffic, malware could potentially remain hidden on a system, making it harder to identify and remove,” researchers from security firm Trend Micro said in a report.
The Trend Micro team started investigating what EDRSilencer is and how it works after members of its threat hunting team started observing attackers trying to integrate them in their operations. It turns out this is an open-source tool that takes inspiration from a proprietary one called FireBlock that was created by UK-based adversary simulation and penetration testing firm MDSec.
WFP is a set of Windows APIs and services that developers can use to interact with the network packet processing deep inside the Windows networking stack. This powerful capability is usually leveraged by firewalls and other security applications to monitor, block or modify network packets based on IP addresses, ports, originating processes and so on.
EDRSilencer creates WFP filters that target processes associated with popular EDR tools. Agents supported by default include Microsoft Defender for Endpoint and Microsoft Defender Antivirus, Elastic EDR, Trellix EDR, Qualys EDR, SentinelOne, Cylance, Cybereason, Carbon Black EDR, Carbon Black Cloud, Tanium, Palo Alto Networks Traps/Cortex XDR, FortiEDR, Cisco Secure Endpoint (Formerly Cisco AMP), ESET Inspect, Harfanglab EDR and TrendMicro Apex One.
If the EDR agent installed on a system is not one from this list and is not automatically recognized, the user can pass a full path to the process they want to have its network communication blocked. So, in theory, it could block network traffic for any programs, not just EDR agents.
The WPF filters deployed by the tool are persistent, which means they will survive system reboots and the tool itself can be deployed directly in memory by other penetration testing implants with PE execution modules. This means it supports fileless execution.
The developer of EDRSilencer even implemented a technique to obtain the unique WFP app ID of the targeted process while avoiding triggering the self-defense mechanisms of some EDR processes that could detect attempts to apply an WPF filter against themselves.
“Some EDR controls (e.g., minifilter) deny access when a process attempts to obtain a file handle of its EDR processes (e.g., through CreateFileW),” the developer stated in GitHub. “However, the FwpmGetAppIdFromFileName0 API, which is used to obtain the FWP app id of the targeted EDR process, calls CreateFileW internally. To avoid this, a custom FwpmGetAppIdFromFileName0 was implemented to construct the app ID without invoking CreateFileW, thus preventing unexpected failures when adding a WFP filter to an EDR process.”
When the Trend Micro researchers tested the tool against the company’s Vision One Endpoint Agent, which is not supported by default, the tool failed to completely identify and block network communications for all components. However, they used the tool’s block command with a full path to the processes and it worked. “When we executed a ransomware binary, no logs were reflected on the portal; the device appeared disconnected or inactive, which indicates that the tool was effective,” the researchers said.
EDR killers on the rise
Attackers have long adopted penetration testing tools either because it’s cheaper than creating bespoke malware or because they’re well designed and have solid command-and-control capabilities. The Cobalt Strike beacon, the implant of the popular adversary simulation framework of the same name has been weaponized by cybercriminal and cyberespionage groups alike for many years. Another example is Meterpreter, the payload of the Metasploit penetration testing framework.
A variety of other commercial and free tools for network scanning, credential dumping, remote management and system administration are routinely used in attacks. However, tools aimed at disabling and even removing EDRs are increasingly popular. “This highlights the ongoing trend of threat actors seeking more effective tools for their attacks, especially those designed to disable antivirus and EDR solutions,” the Trend Micro researchers said.
In August, researchers from Sophos reported that a rootkit known as Poortry/BurntCigar that uses kernel drivers had added the capability to wipe EDR products from systems completely instead of just terminating their processes.
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
Original Post url: https://www.csoonline.com/article/3567074/attackers-repurpose-edrsilencer-to-evade-detection.html
Category & Tags: Endpoint Protection, Malware, Network Security – Endpoint Protection, Malware, Network Security
Views: 2
