Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions

Date: 10/16/2024

Severity: High

Summary

The Trend Micro Threat Hunting Team recently found EDRSilencer, a red team tool designed to disrupt endpoint detection and response solutions using the Windows Filtering Platform. Internal telemetry indicated that threat actors are repurposing it to evade detection during their attacks. EDRSilencer obstructs telemetry transmission to EDR management consoles, hindering malware identification and removal. It dynamically identifies running EDR processes and creates WFP filters to block their outbound communication, even affecting processes not on its hardcoded list during testing.

Indicators of Compromise (IOC) List

Hash	721af117726af1385c08cc6f49a801f3cf3f057d9fd26fcec2749455567888e7

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Hash :

sha256hash IN ("721af117726af1385c08cc6f49a801f3cf3f057d9fd26fcec2749455567888e7")

Reference:

https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html

Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments