Thursday, November 21, 2024

Bad Actors Manipulate Red-Team Tools to Evade Detection

EDRSilencer, a tool frequently used in red-team operations, is being co-opted by the dark side in malicious attempts to identify security tools and mute security alerts.

As an open source endpoint detection and response tool that detects EDR processes running on a system, EDRSilencer uses Windows Filtering Platform (WFP) to monitor, block, and modify network traffic. 

The red-team tool is capable of blocking 16 common EDR tools, including Microsoft Defender, SentinelOne, FortiEDR, Palto Alto Networks Traps/Cortex XDR, and TrendMicro Apex One, among others.

The threat actors behind the subversion are attempting to integrate the tool into their attacks and repurpose it to evade detection. If successful, they can disrupt data exchange between EDRSilencer and its management server, preventing not just alerts but also detailed telemetry reports. It also gives the attackers options to add filters or avoid certain file paths to evade detection.

“The emergence of EDRSilencer as a means of evading endpoint detection and response systems marks a significant shift in the tactics employed by threat actors,” the researchers at TrendMicro wrote in a post. “By disabling critical security communications, it enhances the stealth of malicious activities, increasing the potential for successful ransomware attacks and operational disruptions.”

The researchers note that organizations must remain vigilant and implement advanced detection mechanisms as well as threat hunting strategies to counteract these evasion tools.


Related Articles

Latest Articles