It is a well-known fact that hackers use legitimate software in their attacks whenever possible. Well, now we can add EDRSilencer to that list.
Earlier this week, cybersecurity researchers from Trend Micro published a new report in which they claim to have observed EDRSilencer being used in cyber attacks. This tool, they say, is primarily designed for penetration testing, to be used by red teams who simulate real cyber attacks and stress test their networks against intruders.
The tool is short for Endpoint Detection and Response Silencer and is designed to disrupt or disable EDR solutions intended to monitor and detect suspicious activity on endpoints, such as computers or devices within a network. By neutralizing EDR defenses, attackers can carry out their malicious activities, such as data theft or system exploitation, without being noticed.
Significant change in tactics
Trend Micro said that with the help of EDRSilencer, criminals were able to render EDR tools ineffective and prevent them from sending telemetry, alerts or other data to their management controls. “The emergence of EDRSilencer as a means to evade endpoint detection and response systems marks a significant shift in the tactics used by threat actors,” the researchers concluded.
According to BleepingComputerEDRSilencer is an open source tool inspired by MdSec NightHawk FireBlock. This is a proprietary penetration testing tool that detects active EDR processes and uses the Windows Filtering Platform (WFP) to monitor, block or modify network traffic on the IPv4 and IPv6 communications protocol.
EDRSilencer can detect and block 16 EDR tools, including Microsoft Defender, FortiEDR, SentinelOne, and many others.
This isn’t the first time legitimate pentesting tools have been used for nefarious purposes. Perhaps the best example of such a practice is Cobalt Strike, a tool that is now widely regarded as malware despite its original design being considered benign.
Via BleepingComputer