TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Silencing the EDR Silencers | Huntress

2024-11-18 · Read original ↗

ATT&CK techniques detected

5 predictions
T1685Disable or Modify Tools
95%
"silencing the edr silencers | huntress as many security practitioners know, tampering with endpoint detection and response ( edr ) products is a deep desire for threat actors and red teamers alike. i spoke about this briefly at blackhat this year in my “ edr blinded, now what? ” …"
T1686.003Windows Host Firewall
71%
"which processes are targeted by these firewall rules, so as long as an attacker has local administrator rights they can successfully add an edr agent into the firewall rule and block network connections. most people have probably seen the following page as it relates to the windo…"
T1686.003Windows Host Firewall
53%
"this attack. blocking mechanisms while we discuss the various ways one might block application ' s network communications, two ways really come to mind that are the most prevalent today : - creating windows defender firewall with advanced security rules - creating windows filteri…"
T1112Modify Registry
45%
"remove them in a way so that the filtering engine refreshes after the removal. you could delete the registry key, but then you ’ d have to reboot the machine. obviously, this approach isn ’ t an appropriate option, as products want to do modifications during runtime. there are so…"
T1686Disable or Modify System Firewall
33%
"which processes are targeted by these firewall rules, so as long as an attacker has local administrator rights they can successfully add an edr agent into the firewall rule and block network connections. most people have probably seen the following page as it relates to the windo…"

Summary

Discover how adversaries are using tools like EDRSilencer to tamper with EDR communications and learn how you can fight back.