HomeVulnerabilityAttackers repurpose EDRSilencer to evade detection

Attackers repurpose EDRSilencer to evade detection

WFP is a set of Home windows APIs and providers that builders can use to work together with the community packet processing deep contained in the Home windows networking stack. This highly effective functionality is often leveraged by firewalls and different security purposes to watch, block or modify community packets based mostly on IP addresses, ports, originating processes and so forth.

EDRSilencer creates WFP filters that concentrate on processes related to well-liked EDR instruments. Brokers supported by default embrace Microsoft Defender for Endpoint and Microsoft Defender Antivirus, Elastic EDR, Trellix EDR, Qualys EDR, SentinelOne, Cylance, Cybereason, Carbon Black EDR, Carbon Black Cloud, Tanium, Palo Alto Networks Traps/Cortex XDR, FortiEDR, Cisco Safe Endpoint (Previously Cisco AMP), ESET Examine, Harfanglab EDR and TrendMicro Apex One.

If the EDR agent put in on a system is just not one from this listing and isn’t routinely acknowledged, the person can move a full path to the method they need to have its community communication blocked. So, in concept, it might block community site visitors for any packages, not simply EDR brokers.

See also  Important ServiceNow RCE flaws actively exploited to steal credentials
- Advertisment -spot_img
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular