{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/carbon-black/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender","Carbon Black","SentinelOne"],"_cs_severities":["high"],"_cs_tags":["edr","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Carbon Black","SentinelOne"],"content_html":"\u003cp\u003eEDRSilencer is a custom, publicly available tool inspired by the FireBlock tool from MdSec NightHawk. It blocks outbound traffic of running Endpoint Detection and Response (EDR) processes using Windows Filtering Platform (WFP) APIs. This allows attackers to potentially disable or degrade EDR functionality, hindering detection and response capabilities. The tool searches for running EDR processes and applies WFP filters to block outbound traffic, adding filters for specific processes, and removing filters either individually or globally. A custom implementation avoids file handle access issues with EDR processes by bypassing the CreateFileW API. While the tool supports a wide range of EDRs like Microsoft Defender, Carbon Black, and SentinelOne, defenders should test this detection against the EDR solutions in their environment. EDRSilencer has been tested on Windows 10 and Windows Server 2016.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or transfers the EDRSilencer tool (EDRSilencer.exe) to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes EDRSilencer.exe with administrative privileges.\u003c/li\u003e\n\u003cli\u003eEDRSilencer enumerates running processes to identify target EDR solutions (e.g., Microsoft Defender, Carbon Black, SentinelOne).\u003c/li\u003e\n\u003cli\u003eThe tool utilizes WFP APIs to create filters that block outbound network traffic for the identified EDR processes.\u003c/li\u003e\n\u003cli\u003eThese filters prevent the EDR from communicating with its command-and-control infrastructure, hindering its ability to send alerts or receive updates.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities without EDR interference, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker may remove the filters or the tool to avoid detection after completing their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful EDRSilencer attack can significantly impair an organization\u0026rsquo;s security posture. By blocking the outbound traffic of EDR solutions, attackers can operate with reduced visibility and detection. This can lead to delayed incident response, increased dwell time, and greater potential for data breaches, ransomware deployment, and other malicious activities. The tool has the potential to impact a wide range of organizations using affected EDR products on Windows endpoints.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect EDRSilencer execution and tune them for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs (Sysmon Event ID 1 or Windows Event Log Security 4688) for the execution of \u003ccode\u003eEDRSilencer.exe\u003c/code\u003e or processes containing \u0026ldquo;*blockedr *\u0026rdquo; in their command line (as defined in the Sigma rules).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised endpoint.\u003c/li\u003e\n\u003cli\u003eRegularly review and update EDR configurations to ensure they are resilient against tampering.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts related to unexpected modifications to Windows Filtering Platform (WFP) rules.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to activate the rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-edrsilencer/","summary":"The EDRSilencer tool is designed to block outbound traffic of EDR processes by leveraging Windows Filtering Platform (WFP) APIs to evade endpoint defenses.","title":"EDRSilencer Execution Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-edrsilencer/"}],"language":"en","title":"CraftedSignal Threat Feed — Carbon Black","version":"https://jsonfeed.org/version/1.1"}