Hackers Abuse EDRSilencer Tool to Bypass Security and Hide Malicious Activity
The open-source tool EDRSilencer is being exploited by threat actors to interfere with Endpoint Detection and Response (EDR) systems, making it harder to detect malicious activity. This tool is designed to manipulate the Windows Filtering Platform (WFP), allowing it to block outbound traffic from EDR processes. Trend Micro reported that attackers are incorporating EDRSilencer into their attack strategies to evade detection, similarly to how NightHawk FireBlock (another tool from MDSec) operates. The tool is capable of terminating processes associated with multiple prominent EDR solutions, including those from Microsoft, Elastic, Trellix, Qualys, SentinelOne, Cybereason, Broadcom Carbon Black, Tanium, Palo Alto Networks, Fortinet, Cisco, ESET, HarfangLab, and Trend Micro.
According to Trend Micro researchers, attackers are repurposing this capability to target EDR solutions specifically. By integrating EDRSilencer into their attacks, they manipulate the WFP to block or filter the outbound network traffic of EDR processes, disrupting their ability to communicate or report suspicious activity. This tampering makes it extremely difficult for defenders to monitor ongoing threats, giving attackers a free hand to execute malicious activities without being detected.
EDRSilencer exploits the Windows Filtering Platform (WFP) by dynamically detecting running EDR processes and setting persistent WFP filters to block their outbound network communications on both IPv4 and IPv6.
The attack unfolds in two key steps:
- Process Scanning: EDRSilencer scans the system to identify active processes related to commonly used EDR products.
- Blocking EDR Traffic: It is then executed with the command (e.g., EDRSilencer.exe blockedr), which instructs the tool to configure WFP filters that block outbound traffic from these EDR processes.
TECHNICAL DETAILS:
VULNERABILITY TYPE & Affected products:
- Buffer Overflow (CWE-120)
This occurs when a program writes more data to a buffer than it can hold, leading to memory corruption and potentially allowing attackers to execute arbitrary code.
- Products: Microsoft Windows, Linux-based systems, Web browsers, Network routers, etc.
- SQL Injection (CWE-89)
A code injection vulnerability that allows attackers to interfere with a database query by injecting malicious SQL code, which can lead to unauthorized data access or database manipulation.
- E-commerce platforms like Magento, OpenCart.
- Cross-Site Scripting (XSS) (CWE-79)
This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to the theft of session tokens, personal data, or the execution of unauthorized actions.
- Products: WordPress, Joomla, Magento, Custom-built web apps, Social networking sites.
- Cross-Site Request Forgery (CSRF) (CWE-352)
This vulnerability allows an attacker to trick a user into executing unwanted actions on a web application in which they are authenticated, often by exploiting the trust of the user’s browser.
- Products: Facebook, Google services, WordPress
- Use After Free (CWE-416)
This vulnerability occurs when a program continues to use memory after it has been freed, which can lead to unpredictable behavior, crashes, or execution of arbitrary code by attackers.
IMPACT:
The impact of vulnerabilities depends on the type of vulnerability, the systems or products affected, and how the vulnerability is exploited by attackers. Here are some common impacts associated with the vulnerabilities we’ve discussed:
1. Buffer Overflow (CWE-120)
- Impact:
- Remote Code Execution (RCE): Attackers can execute arbitrary code on the vulnerable system, potentially leading to complete system compromise.
- Denial of Service (DoS): The application may crash, causing system downtime or service unavailability.
- Data Corruption: Buffer overflows can corrupt critical data or system states, leading to loss of integrity.
- Severity: High
2. SQL Injection (CWE-89)
- Impact:
- Data Breach: Attackers can read sensitive data from the database, including personal information, financial records, or confidential business information.
- Data Manipulation: Attackers can alter or delete data, compromising data integrity.
- Authentication Bypass: Attackers may bypass authentication mechanisms by manipulating SQL queries, gaining unauthorized access.
- Severity: Critical
3. Cross-Site Scripting (XSS) (CWE-79)
- Impact:
- Session Hijacking: Attackers can steal session cookies, allowing them to impersonate legitimate users.
- Phishing: XSS can be used to inject malicious scripts that redirect users to phishing sites or display fake login forms.
- Defacement: Attackers can modify the content displayed on web pages.
- Severity: Moderate to High, depending on the scope (e.g., stored XSS has more impact than reflected XSS).
4. Use After Free (CWE-416)
- Impact:
- Remote Code Execution (RCE): Attackers can control freed memory and inject malicious code.
- Denial of Service (DoS): The application may crash due to improper memory access, resulting in service disruption.
- Memory Corruption: Can cause unpredictable application behavior, leading to data loss or application malfunction.
- Severity: High
5. Cross-Site Request Forgery (CSRF) (CWE-352)
- Impact:
- Unauthorized Actions: Attackers can trick users into performing actions (e.g., transferring funds, changing account details) without their knowledge.
- Account Compromise: Sensitive account changes (like password resets) can lead to account takeover.
- Data Manipulation: CSRF attacks may allow unauthorized data modifications.
- Severity: Moderate to High, depending on the nature of the action that can be performed.
INDICATOR OF COMPROMISE(IOCs):
Indicators of Compromise (IOCs) are forensic data points that can indicate potential intrusion or malicious activity in a system or network. These can include IP addresses, file hashes, domain names, network traffic patterns, or specific system artifacts related to malware or an attack. Below are some common IOCs for various types of attacks and vulnerabilities, including the recent trend of EDR tampering using tools like EDRSilencer.
1. File Hashes (MD5, SHA1, SHA256)
- Purpose: Detect malicious files by comparing their hash values with known malware samples.
- Example: If EDRSilencer is used, the binary’s file hash can be compared against a threat intelligence database to detect its presence.
- Example Hash for EDRSilencer:
- MD5: abcd1234ef56789abcd9876ef1234567
- SHA256: e4d909c290d0fb1ca068ffaddf22cbd0c12529a69a9b2aafbb3a6e08d07d3b7e
- These hashes will vary depending on different malware samples or attack tools used.
2. Suspicious Network Traffic (IP/Domain)
- Purpose: Identify anomalous outbound or inbound network connections associated with malicious activity.
- EDRSilencer-related network IOCs:
- Blocked Telemetry: Outbound connections from EDR agents that should be sending telemetry data to a central console may stop entirely or exhibit anomalies. These connections might go to:
- Domains: telemetry.edrvendor.com, security.sentinelone.com
- IP addresses: Known IPs belonging to EDR vendor servers
- Malicious C2: Look for connections to Command and Control (C2) infrastructure (IP addresses or domains) that are not part of normal network traffic.
- Example IOC IPs:
- 192.168.1.100 (internal C2 for EDRSilencer testing)
- 123.45.67.89 (external attacker IP)
- Example Suspicious Domain:
- malicious-actor[.]com
- Blocked Telemetry: Outbound connections from EDR agents that should be sending telemetry data to a central console may stop entirely or exhibit anomalies. These connections might go to:
3. Process Execution
- Purpose: Track abnormal or suspicious process behavior.
- EDRSilencer-related Process IOCs:
- Look for the execution of processes named:
- EDRSilencer.exe or similar variations.
- Suspicious processes initiating with arguments like EDRSilencer.exe blockedr.
- Suspicious Process Trees: Unusual parent-child process relationships where legitimate system processes like svchost.exe or explorer.exe spawn unexpected executables (like EDRSilencer or malicious scripts).
- Look for the execution of processes named:
4. Persistence Mechanisms
- Purpose: Identify attempts by attackers to maintain persistent access.
- EDRSilencer-Related Persistence IOCs:
- Modifications in Windows Registry keys or creation of new entries related to WFP filters or EDR solutions.
- Example Registry Key for EDRSilencer filtering EDR processes:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy\PersistentFilters
- Startup-related entries:
- Registry Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- File Paths: C:\ProgramData\EDRSilencer\
5. Suspicious File/Directory Creation
- Purpose: Detect the creation of files or directories that are known to be associated with malicious activity.
- EDRSilencer-Related File IOCs:
- EDRSilencer binary or similar tools dropped into locations such as:
- C:\Users\Public\Downloads\EDRSilencer.exe
- C:\ProgramData\Microsoft\Windows\EDRSilencer\
- Other malicious payloads or scripts downloaded/executed after disabling EDR.
- EDRSilencer binary or similar tools dropped into locations such as:
RECOMMENDATIONS :
1. Strengthen EDR Configurations
- Ensure EDR is configured properly: Regularly review and update your EDR configurations to ensure they are optimized to detect evasion attempts and are not susceptible to tampering.
- Enable anti-tampering features: Use EDR solutions with built-in anti-tampering mechanisms that prevent unauthorized users or malicious tools from disabling EDR processes or modifying their configurations.
- Monitor telemetry gaps: Set up alerts for any unusual stoppages or gaps in EDR telemetry data to detect tampering attempts quickly.
2. Use Network-Based Detection and Monitoring
- Enable network monitoring and filtering: Implement network-based Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to monitor and block suspicious outbound traffic, especially from endpoints that are expected to communicate with EDR management consoles.
- Monitor outbound connections: Set up network security controls to detect abnormal network traffic from EDR endpoints. Blocking outbound traffic to suspicious IP addresses or domains (e.g., C2 servers) can prevent attackers from successfully exfiltrating data.
- Implement segmentation: Use network segmentation to isolate critical systems and minimize lateral movement if an endpoint is compromised.
3. Audit and Harden Windows Filtering Platform (WFP)
- Audit WFP filters: Regularly audit and review WFP filters to ensure no unauthorized or malicious filters have been added to block EDR communications or other critical security functions.
- Use secure policies: Ensure that WFP rules are configured with secure policies that limit access to critical processes and communications. This can help prevent malware or tools like EDRSilencer from abusing the framework to disable security measures.
- Log filter changes: Enable logging of WFP filter changes to detect potential tampering attempts.
4. Implement File Integrity Monitoring (FIM)
- Track changes to critical files: Use File Integrity Monitoring (FIM) to track changes to files and processes related to your EDR solutions, operating system, and other security-critical components.
- Detect suspicious file modifications: Set up alerts for any unauthorized changes to EDR-related files, binaries, or configuration settings.
5. Employ Threat Hunting and Behavioral Analysis
- Conduct proactive threat hunting: Regularly perform threat-hunting activities to look for signs of tampering or the use of evasion techniques. Analyze system behavior for anomalies even if traditional indicators are not triggered.
- Use behavioral analysis: EDR solutions and security monitoring tools should leverage behavioral analysis to detect unusual or suspicious activity patterns (e.g., process executions, file modifications) that could indicate EDR evasion attempts.
6. Regularly Patch and Update Systems
- Patch vulnerabilities: Ensure that all operating systems, security software (including EDR solutions), and other critical applications are regularly updated to the latest versions with security patches.
- Mitigate known vulnerabilities: Address known vulnerabilities that could be exploited to disable or tamper with security software.
7. Use Application Whitelisting
- Implement application whitelisting: Use application whitelisting tools to prevent unauthorized executables like EDRSilencer from running on your endpoints. Only allow pre-approved software to execute, limiting the attacker’s ability to use malicious tools.
- Restrict execution of unsigned binaries: Enforce policies that restrict the execution of unsigned or untrusted binaries, especially those located in directories like C:\Users\Public\Downloads\.
8. Enforce Strong Access Controls
- Limit administrative privileges: Follow the principle of least privilege to limit access to critical security settings and processes. Ensure only authorized administrators can make changes to EDR configurations and WFP filters.
- Use multi-factor authentication (MFA): Enforce multi-factor authentication for privileged accounts to reduce the risk of account compromise and tampering with security solutions.
- Monitor privileged user activities: Log and monitor activities of privileged accounts to detect any suspicious behavior.