Blog

How EDRSilencer Helps Attackers Bypass EDR Security Solutions

For attackers, stealth is crucial for success. Combatting undetected attacker activities has been a major driving force in the development of more sophisticated security tools. Remaining undetected allows attackers to extend their dwell time within a compromised network, conduct reconnaissance and strategize how to best benefit from the breach. Attackers must avoid triggering alerts that could notify defenders of their presence. This involves bypassing traditional security measures like malware scanners and intrusion detection systems (IDS), as well as more advanced solutions such as Endpoint Detection and Response (EDR) products. By evading defense systems, attackers can operate quietly, gather intelligence, and execute their ultimate goals, increasing the potential impact of their attacks.

In this article we will review a tool that has recently been implicated by TrendMicro for its use in active cyber attacks. Named EDRSilencer, this red-team pentesting tool is designed to disable EDR security products allowing malicious actors to continue with their attack undetected. 

Why Do Attackers Want to Block EDR Security Products?

The emergence of Endpoint Detection and Response (EDR) security solutions stems from the limitations of traditional security products. Conventional malware scanning tools rely on known signatures, which attackers can easily evade by modifying or re-packaging malware strains, making these tools less effective against new or altered threats. While vulnerability scanning solutions can identify many entry points that attackers might exploit to gain unauthorized access, they often fall short when it comes to detecting zero-day vulnerabilities - flaws unknown to the software vendor. Attackers can analyze software source code to discover these zero days, even using AI allowing them to infiltrate systems which defenders may believe are secure.

As a result, defenders need tools that can monitor endpoints at the system level to detect indicators of compromise (IoC) and suspicious activity directly on the device. EDR solutions fulfill this role by providing real-time monitoring and analysis of system behavior, making it more challenging for attackers to operate without being detected. For this reason, attackers have a strong incentive to disable or bypass EDR products to evade detection and maintain control over compromised systems. For more details on how EDR technology functions, refer to our previous blog post, which outlines the various types of EDR technology and delves into how these solutions work.

What is EDRSilencer?

EDRSilencer is a red team penetration testing tool available on GitHub that enables users to block the outbound traffic of running Endpoint Detection and Response (EDR) processes. The tool has out-of-the-box support for nearly 20 popular enterprise EDR solutions including Microsoft Defender, Qualys EDR, SentinelOne, BlackBerry Cylance, Palo Alto's Cortex XDR, FortiEDR, ESET Inspect, TrendMicro Apex One, and more. 

Development was inspired by FireBlock, a closed-source solution from MdSec NightHawk, which led the author, Netero1010,  to create an open-source tool for applying the Windows Filtering Platform (WFP) APIs to EDR security products.

How Does EDRSilencer Work?

The main functionality of EDRSilencer is to search for known running EDR processes and apply Windows Filtering Platform (WFP) filters to block their outbound traffic, effectively preventing them from sending detection, alert, or event-forwarding data. Additionally, EDRSilencer can add or remove specific WFP filters, run in command-and-control (C2) environments, and in-memory via Portable Executable (PE) execution, and manage custom filtering configurations to avoid detection.

EDRSilencer offers the following key features:

  • Searches for known running EDR processes and creates WFP filters to block them from sending data

  • Supports custom WFP filters for processes defined by name

  • Can remove its own WFP filters or arbitrary WFP filters by ID

  • Enables integration with C2 frameworks through in-memory PE execution modules (e.g., BruteRatel's memexec)

What is the Windows Filtering Platform (WFP)?

In simple terms, the Windows Filtering Platform is the underlying framework that allows various components to perform firewall actions on network traffic at the Windows kernel level as well as advanced operations on network traffic, such as deep packet inspection. One of the most familiar applications that uses WFP is the Windows Defender Firewall. Additionally, some other third-party firewalls, services, and other applications can interact with the WFP to manage network behaviors. The Base Filtering Engine service mediates changes to the WFP between user mode and the kernel.

WFP Architecture Overview

The most important components of WFP to understand are:

  • Filter: Filters can permit, block or take other actions (terminating a process, conducting deep-packet inspection, etc.) based on IP address, port, application, protocol, user, or other details of the network communication. Each filter has a priority, which determines the order in which filters are evaluated.

  • Layer: Layers are defined points in the networking stack where the Windows operating system can inspect and filter network traffic. Each layer corresponds to a specific event or stage in the process of network communication, such as sending, receiving, or or different stages of a TCP handshake when establishing a connection. Application Layer Enforcement (ALE) layers within WFP are stateful, meaning they maintain information across the duration of a connection, while other layers operate statelessly.

  • Sublayer: WFP sublayers are logical groupings of filters within WFP. They are used to organize and manage filters to ensure that their behavior is predictable and consistent. Filters are grouped into sublayers. For example, firewall rules may belong to one sublayer, while rules related to service hardening or network traffic monitoring might belong to another. Sublayers ensure predictable behavior of filters and prevent conflicts between filters.

Conclusion

EDRSilencer is an open-source red team tool designed to bypass EDR security products by blocking their outbound traffic using Windows Filtering Platform (WFP) APIs. Inspired by the closed-source FireBlock tool, EDRSilencer can effectively prevent nearly 20 popular EDR solutions from sending detection or alert data, allowing attackers to evade detection. By utilizing WFP filters, it can control network behaviors and avoid typical access denials encountered with EDR processes. This capability to block EDR communication is critical for attackers, as it allows them to operate stealthily, maintain control over compromised systems, and plan their attacks without triggering alerts.

Would you like to learn more?

Download our buyer’s guide to learn everything you need to know to successfully plan, scope and execute your penetration testing projects

Featured Posts

See All

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

September 27 - Blog

What is InfoStealer Malware and How Does It Work?

InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.

September 26 - Blog

Blackwood APT Uses AiTM Attacks to Target Software Updates

Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.