Threat actors are now leveraging the open-source EDRSilencer tool to undermine endpoint detection and response (EDR) solutions, a trend highlighted by Trend Micro’s recent findings. This tool, which is modeled after MDSec’s NightHawk FireBlock, is engineered to obstruct the outbound traffic of EDR processes via the Windows Filtering Platform (WFP).
EDRSilencer targets various popular EDR products, including those from Microsoft, Qualys, and SentinelOne, effectively terminating their processes to enhance malware stealth. By employing this tool, attackers aim to render EDR systems ineffective, complicating the identification and eradication of malicious software.
The mechanism is straightforward: EDRSilencer scans for active EDR processes and applies persistent WFP filters to block their communications, both for IPv4 and IPv6. By executing the command “EDRSilencer.exe blockedr,” the tool inhibits these processes from sending telemetry data, allowing malware to operate undetected.
This development underscores a broader trend among ransomware groups, who are increasingly using advanced tools designed to disable security measures. Other notorious tools like AuKill and EDRKillShifter have also gained traction, targeting vulnerable drivers to escalate privileges and terminate security processes.