{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/red-team/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Endpoint Detection and Response (EDR) solutions"],"_cs_severities":["medium"],"_cs_tags":["edr-evasion","defense-evasion","red-team"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief summarizes a discussion on the r/blueteamsec subreddit regarding \u0026quot;EDR killers.\u0026quot; The post, submitted by user /u/rkhunter_, links to an article on WeLiveSecurity (ESET's blog) that explores techniques used by attackers to disable or bypass Endpoint Detection and Response (EDR) solutions. This discussion highlights the evolving tactics employed by threat actors to evade detection and maintain persistence within compromised environments. While the specifics of these \u0026quot;beyond the drivers\u0026quot; techniques aren't detailed in the Reddit post itself, the reference to ESET's research indicates a focus on advanced methods that go beyond simply unloading kernel drivers associated with EDR products. Defenders need to be aware of the broader spectrum of EDR evasion tactics to effectively protect their systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e Attacker gains initial access to the system through methods not specified in this brief.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates privileges to gain administrative or system-level access, a necessary step for many EDR killer techniques.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker performs reconnaissance to identify the presence and configuration of EDR solutions installed on the system. This can involve querying system processes, registry keys, or file system locations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEDR Service Enumeration:\u003c/strong\u003e Attacker enumerates the services associated with the EDR solution to identify potential targets for disabling or manipulation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eProcess Termination:\u003c/strong\u003e The attacker attempts to terminate EDR-related processes using tools like \u003ccode\u003etaskkill.exe\u003c/code\u003e or by directly manipulating process handles.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eService Disabling:\u003c/strong\u003e The attacker attempts to disable EDR services by modifying their startup configuration in the registry or using tools like \u003ccode\u003esc.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRegistry Modification:\u003c/strong\u003e The attacker modifies registry keys associated with the EDR to disable features, tamper with configurations, or prevent the EDR from starting.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence using various methods to maintain access even if the EDR is re-enabled or the system is restarted.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of EDR killer techniques can severely impair an organization's ability to detect and respond to security incidents. With the EDR effectively disabled, attackers can operate with impunity, deploying malware, exfiltrating sensitive data, or launching ransomware attacks without immediate detection. The number of victims and sectors targeted depend on the attacker's objectives. The potential consequences include data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for suspicious process terminations, particularly those targeting processes commonly associated with EDR solutions (Attack Chain, step 5). Deploy a Sigma rule to detect the use of \u003ccode\u003etaskkill.exe\u003c/code\u003e or similar tools to terminate EDR processes.\u003c/li\u003e\n\u003cli\u003eImplement monitoring for changes to service configurations, specifically focusing on services associated with EDR products (Attack Chain, step 6). Deploy a Sigma rule to detect modifications to the startup type of EDR services in the registry.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation and registry modification logging to provide the necessary data for the Sigma rules mentioned above.\u003c/li\u003e\n\u003cli\u003eRegularly review and update EDR configurations and signatures to address emerging evasion techniques.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-29-edr-killers-reddit/","summary":"A Reddit post on r/blueteamsec references an ESET WeLiveSecurity article discussing EDR killer techniques that extend beyond driver manipulation.","title":"Discussion of EDR Killers on Reddit","url":"https://feed.craftedsignal.io/briefs/2024-01-29-edr-killers-reddit/"}],"language":"en","title":"CraftedSignal Threat Feed - Red-Team","version":"https://jsonfeed.org/version/1.1"}