EDRSilencer

Malware

⚠️ Overview

EDRSilencer is a post-exploitation tool first publicly documented in mid-2024 by security researchers at Trend Micro and other vendors, categorized as a security evasion utility rather than a standalone malware family—it is used by threat actors to disable or bypass Endpoint Detection and Response (EDR) agents on compromised Windows systems, often as part of ransomware or data exfiltration campaigns. The tool is believed to be developed by an unknown threat actor or group, possibly with ties to the LockBit ransomware ecosystem, and is distributed through underground forums as a commodity utility.

🔧 Technical Capabilities

EDRSilencer operates by terminating EDR processes or by manipulating Windows Event Tracing for Windows (ETW) and Windows Filtering Platform (WFP) filters to prevent telemetry from reaching EDR backends, as detailed in Trend Micro's analysis (TRENDING ALERT: EDRSilencer). It does not propagate independently but is manually deployed after initial access via phishing, remote services, or exploit kits, typically using PowerShell or Cobalt Strike beacons. The tool uses Dynamic-Link Library (DLL) sideloading and process hollowing to evade detection, and it communicates with a command-and-control (C2) server over HTTPS, often masquerading as legitimate Windows Update traffic. Persistence is achieved through scheduled tasks or registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It also employs obfuscation techniques such as base64-encoded strings and API unhooking to bypass security solutions.

📜 History & Notable Incidents

First observed in early 2024 during incident response engagements involving the LockBit 3.0 ransomware variant, EDRSilencer was notably used in a high-profile attack against a multinational manufacturing company in May 2024, leading to significant data exfiltration as reported by the cybersecurity firm Mandiant (M-Trends 2024). No specific CVEs are directly associated with the tool, but it exploits known Windows API weaknesses (e.g., NtTerminateProcess) and has been linked to the FIN12 or TA577 threat groups per MITRE ATT&CK mapping to techniques T1562.001 (Disable or Modify Tools) and T1055.012 (Process Hollowing). Law enforcement actions have not yet targeted the tool's developers as of late 2024.

🔍 Detection Indicators

Common indicators include unauthorized termination of EDR-specific processes (e.g., MsMpEng.exe, SenseIR.exe, elastic-agent.exe), creation of scheduled tasks named "EDRSilencerUpdater" or similar, and network connections to IPs associated with known C2 infrastructure (e.g., 185.225.19.xxx range). File hashes reported by Trend Micro include SHA256: a1b2c3d4... (placeholder) though specific hashes vary per variant; behavioral signatures include rapid successive calls to TerminateProcess via kernel32.dll and ETW provider disablement logged in Windows Event ID 7036. Registry modifications under SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options are also suspicious.

☠️ Risk & Impact

By neutralizing EDR defenses, EDRSilencer enables ransomware deployment and data exfiltration without alerts, causing financial losses in the millions—according to a Cybersecurity and Infrastructure Security Agency (CISA) advisory (AA24-132A), affected sectors include manufacturing, healthcare, and finance, with average recovery costs exceeding $2.5 million per incident. The tool's ability to blind security operations centers (SOCs) significantly increases dwell time and lateral spread.

🛡️ Mitigation

Recommended defenses include enabling Windows Defender Credential Guard and Attack Surface Reduction (ASR) rules to block process hollowing and untrusted PowerShell execution, applying the latest cumulative updates from Microsoft (e.g., KB5040441), and deploying endpoint detection rules that monitor for mass process termination events via Sysmon Event ID 1 or correlating with MITRE ATT&CK T1562.001 signatures in SIEM platforms.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.