Another red teaming tool has been hijacked by criminals — EDRSilencer used to muffle defensive security tools

Representational image depecting cybersecurity protection
(Image credit: Shutterstock)

It is a known fact that hackers use legitimate software in their attacks, whenever possible - and now we can add EDRSilencer to that list.

Cybersecurity researchers from Trend Micro published a report in which they claim to have observed EDRSilencer being deployed in cyberattacks. This tool, they say, was primarily designed for penetration testing, to be used by red teams as they simulate real-life cyberattacks and stress-test their networks against intruders.

Short for Endpoint Detection and Response Silencer, the tool was designed to interfere with, or disable, EDR solutions that are meant to monitor and detect suspicious activity on endpoints, such as computers or devices within a network. By neutralizing EDR defenses, attackers can carry out their malicious activities, such as data theft or system exploitation, without being detected.

Significant shift in tactics

Trend Micro said crooks managed, with the help of EDRSilencer, to render EDR tools ineffective and stop them from sending telemetry, alerts, or other data, to their management controls.

“The emergence of EDRSilencer as a means of evading endpoint detection and response systems marks a significant shift in the tactics employed by threat actors,” the researchers concluded.

EDRSilencer is an open-source tool inspired by MdSec NightHawk FireBlock. This is a proprietary penetration testing tool that detects running EDR processes and uses the Windows Filtering Platform (WFP) to monitor, block, or modify network traffic on IPv4 and IPv6 communication protocol.

EDRSilencer is capable of detecting and blocking 16 EDR tools, including Microsoft Defender, FortiEDR, SentinelOne, and many others.

This is not the first time legitimate pentesting tools are being used for nefarious purposes. Perhaps the best example of such practice is Cobalt Strike, a tool that is now generally considered malware, despite its original design being considered benign.

Via BleepingComputer

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.