Attackers also target EDRSilencer to evade detection

WFP is a set of Windows APIs and services that developers can use to interact with network packet processing deep within the Windows network stack. This powerful capability is often used by firewalls and other security applications to monitor, block or modify network packets based on IP addresses, ports, originating processes and more.

EDRSilencer creates WFP filters that target processes related to popular EDR tools. Agents supported by default include Microsoft Defender for Endpoint and Microsoft Defender Antivirus, Elastic EDR, Trellix EDR, Qualys EDR, SentinelOne, Cylance, Cybereason, Carbon Black EDR, Carbon Black Cloud, Tanium, Palo Alto Networks Traps/Cortex XDR, FortiEDR, Cisco Secure Endpoint (Formerly Cisco AMP), ESET Inspect, Harfanglab EDR and TrendMicro Apex One.

If the EDR agent installed in the system is not from this list and is not recognized by default, the user can pass the full path of the process whose communication is blocked. So, in theory, it can block network traffic from any system, not just EDR agents.


Source link