Trend Micro’s Threat Hunting Team has identified a sophisticated and potentially dangerous exploitation of a red team tool known as EDRSilencer by cybercriminals. Originally intended to test the integrity of endpoint detection and response (EDR) solutions, EDRSilencer has been repurposed by malicious actors to effectively disable these very defenses, posing significant risks to organizational security.
Trend Micro’s Discovery of EDRSilencer
The Trend Micro Threat Hunting Team uncovered EDRSilencer, a tool designed to interfere with EDR solutions through the Windows Filtering Platform (WFP). Initially a red team tool intended for benign purposes, EDRSilencer has been adapted by threat actors to block the transmission of telemetry or alerts from EDR products to their management consoles. This hampers the identification and removal of malware by preventing security alerts from reaching system administrators and security information and event management (SIEM) systems.
How EDRSilencer Operates
EDRSilencer is particularly insidious because it dynamically identifies any running EDR processes and creates WFP filters to block their outbound communication. These filters are applied to both IPv4 and IPv6 protocols, ensuring that critical security communications are obstructed. The tool also demonstrates an alarming capacity to block processes outside its hardcoded list, showcasing its wide-reaching disruptive potential.
The WFP framework, integral to Windows, enables the creation of network filtering and security applications. Through its APIs, developers can set custom rules to monitor, block, or modify traffic based on various parameters. However, EDRSilencer capitalizes on this functionality, making it a potent tool for adversaries seeking to evade detection.
List of EDR Products Affected
EDRSilencer targets various EDR products, significantly broadening its impact across multiple security platforms. Here are some of the products and processes disrupted by this tool:
- Carbon Black Cloud: RepMgr.exe, RepUtils.exe, RepUx.exe, RepWAV.exe, RepWSC.exe
- Cisco Secure Endpoint: sfc.exe
- Microsoft Defender: MsMpEng.exe, MsSense.exe, SenseIR.exe
Verification and Testing
To verify EDRSilencer’s effectiveness, Trend Micro employed a tool called EDRNoiseMaker, available on GitHub. This tool is designed to identify potential silencers of an EDR or any process selected by the user. EDRNoiseMaker works by attempting to detect processes that have been silenced using WFP. During testing, EDRSilencer effectively blocked communication from EDR processes not included in its hardcoded list, confirming its robustness.
The persistency of WFP filters, even post-execution or system reboot, further underscores the tool’s effectiveness. EDRSilencer offers a command-line interface with options to block or unblock traffic from EDR processes, adding a layer of customization for attackers.
Attack Chain and Execution
EDRSilencer’s attack chain can be summarized as follows:
- Process Discovery: The tool first discovers running processes associated with known EDR products.
- Execution: Using the command
blockedr, the tool blocks traffic from all detected EDR processes. - Privilege Escalation: WFP filters are configured and marked as persistent to ensure continuous blockage.
- Impact: EDR tools are incapacitated, failing to send telemetry or alerts, which allows malware to remain unidentified.
Conclusion
Trend Micro’s Threat Hunting Team has uncovered a sophisticated and potentially damaging misuse of a red team tool called EDRSilencer by cybercriminals. Designed originally to assess the robustness of endpoint detection and response (EDR) systems, EDRSilencer has been co-opted by malicious actors. These cybercriminals are deploying it to disable EDR solutions, which is alarming because these tools play a crucial role in identifying, mitigating, and responding to cyber threats.
What was once a tool for strengthening cybersecurity has now been turned into a weapon against it. By undermining endpoint defenses, attackers can bypass the very systems designed to protect critical data and infrastructure, exposing organizations to a heightened risk of breaches and other cyberattacks. This exploitation signifies a considerable threat to organizational security, highlighting the evolving tactics of cybercriminals who persistently seek ways to outmaneuver advanced security measures. The misuse of EDRSilencer serves as a stark reminder that security tools can become vulnerabilities when they fall into the wrong hands.
