Mehmet Ergene

EDR Silencer and Beyond: Exploring Methods to Block EDR Communication - Part 2

Attackers continuously innovate new ways to bypass security measures. Recently, a new technique called EDR Silencer has gained attention for its ability to disable EDR solutions. The method works by leveraging Windows Firewall rules to block EDR agents' communication with their management centers, effectively cutting off telemetry, resulting in no telemetry or alert generated on the management console.

While EDR Silencer uses the Windows Filtering Platform (WFP) to achieve its goal, this blog will highlight alternative methods attackers can use to block EDR communication, emphasizing the need for awareness and proactive defense. While discussing with Fabian Bader, we have come up with a few alternative methods. This "Part 2" blog is the continuation of Fabian Bader's Part 1 blog where he explains NRPT.

Alternative Methods to Block EDR Communication

Modifying the Hosts File

Attackers can manipulate the Windows hosts file to block or redirect EDR domains to non-functional addresses (commonly referred to as "sinkholing"). With administrative privileges, this can be achieved easily using PowerShell commands. For example:

Modifying the hosts.ics File

You might be wondering what this file is. Well, Adam(@hexacorn.bsky.social) notified me about it. Apparently, it has the same functionality as the hosts file. You can read Adam's post here. So, attackers can manipulate the hosts.ics file in the same way as the hosts file.
Empty space, drag to resize
By associating critical EDR communication domains with 127.0.0.1 or other invalid addresses, attackers effectively cut off communication between the endpoint and the EDR management center.

Adding Custom Routes

Another straightforward approach is to add custom routes to the Windows routing table. By directing traffic intended for EDR management servers to an unreachable or sinkhole address, attackers can prevent telemetry from reaching its destination. This can be accomplished via PowerShell or the command prompt:

Attack Feasibility

EDR solutions often rely on well-documented subnets and domains for connectivity, making it easier for attackers to target them. Combined with the accessibility of built-in Windows tools like PowerShell, these methods require minimal effort to execute.

Mitigation Strategies

While mitigating these attacks is challenging, the following approaches can help reduce their impact:

Zero Trust DNS (In Private Preview)

The Zero Trust DNS model, currently in private preview, has the potential to mitigate DNS-related attack vectors such as those involving the hosts file and NRPT. This approach enforces strict DNS resolution policies and prevents unauthorized tampering.

Zero Trust IP Stack

Of course, there is no such thing. Just as an idea, EDR agents may ignore custom routes and use the default gateway on the device. I don't know if this is even technically possible.

Detection Strategies

Detecting these methods poses significant challenges because once telemetry flow is blocked, the EDR solution itself is effectively blind. However, alternative log sources can help identify potential issues. For example, if a device is generating logs in the Web proxy but no EDR telemetry is coming from the device, it may indicate an EDR bypass or connectivity issue.

Final Thoughts

EDR silencing techniques, including the newly identified EDR Silencer method, represent a growing threat to endpoint security. While WFP-based attacks are a concern, attackers can leverage multiple alternative methods to achieve the same outcome. Awareness of these techniques is the first step in defending against them.

As defenders, focusing on detection through alternative telemetry sources and hardening configurations with features like Zero Trust DNS will be critical in staying ahead of these evolving tactics. It's a constant race, but by understanding these methods, organizations/vendors can better prepare for and mitigate the risks posed by EDR silencing attacks.
Share