Cybercriminals have recently begun exploiting the open-source tool EDRSilencer to bypass endpoint detection and response (EDR) solutions, allowing them to mask their malicious activities. Researchers have observed attackers attempting to integrate EDRSilencer into their attacks as a stealthy means of avoiding detection.
EDRSilencer, inspired by the NightHawk FireBlock tool, uses the Windows Filtering Platform (WFP) to block outbound traffic from active EDR processes. This tool is capable of targeting a range of well-known EDR systems, including those from Microsoft, Elastic, Trellix, and more.
By using legitimate red-team tools like EDRSilencer, attackers aim to disable EDR software, making it difficult to detect and remove malware from infected systems.
The WFP is a robust framework built into Windows, widely used in security applications to filter and control network traffic. It allows developers to create custom rules to monitor and block network traffic, offering flexibility to manage security protocols.
Cybercriminals use EDRSilencer to identify running EDR processes and apply WFP filters that block the outbound network communications of these security tools, essentially cutting off their ability to communicate with management systems. This method enables malware to persist on a system undetected, which significantly raises the risk of a successful attack.
The attack process involves scanning the system to identify EDR processes, then deploying EDRSilencer with specific commands (e.g., “blockedr”) to stop outbound traffic from these processes via WFP filters.
By effectively muting security software, attackers are able to maintain stealth, increasing their chances of successful malware deployment without intervention.
This activity coincides with an uptick in the use of EDR-disabling tools by ransomware groups, including known tools like AuKill, EDRKillShifter, TrueSightKiller, and GhostDriver. These tools leverage vulnerable drivers to gain elevated privileges and terminate processes associated with security software.
To mitigate risks associated with such stealthy tools, organizations should prioritize a multi-layered defense strategy that includes frequent system patching, updated threat intelligence, and advanced detection capabilities like behavioral analysis tools.
Additionally, regular audits of system configurations and processes, combined with network segmentation, can help limit attackers’ ability to escalate privileges and inhibit their lateral movement within the network.