Article

Red Team Tool Used to Disrupt Endpoint Security Solutions

Researchers recently observed the red-team tool EDRSilencer being used by criminals in cyberattacks. EDRSilencer is an open-source tool designed for penetration testing that can detect Endpoint Detection and Response (EDR) processes and monitor, modify, or block their outbound network communications. However, because of this ability to block detections from EDR processes, threat actors can use the tool to prevent EDR products from sending alerts to cybersecurity teams when malware is installed.

What’s Notable and Unique

EDRSilencer represents a new means of evading EDR detection by shutting down security communications, making it difficult to identify and remove any malware that may be present on a system.
EDRSilencer currently works on 16 different EDR tools, including SentinelOne, Microsoft Defender, Cylance, FortiEDR, and Carbon Black.
Although researchers did not name specific threat groups, threat actors have been observed using EDRSilencer in attacks to evade detection.

Analyst Comments

Red team tools are a key part of testing organizations’ security infrastructure, particularly by trying to poke holes in the cybersecurity’s defenses. However, these tools often become popular with cybercriminals as well, and EDRSilencer adds another program to the list of legitimate pen-testing tools abused by threat actors. Tools that have the ability to silence EDR processes demonstrate the importance of staying hands-on in endpoint detection. To prevent the malicious use of EDRSilencer, researchers recommend adding it as malware to be flagged by whatever EDR solution an organization is using. Additionally, cybersecurity teams should be on the lookout for any indications of changes in their EDR tool’s behavior, ensure they have multi-layered security controls, behavioral analysis, and anomaly detection, and apply the principle of the least privilege.