· Threat Hunting Team · Ananta Security Labs  · 3 min read

The Rise of EDR Silencers – A Growing Cybersecurity Threat

A new method to evade EDR detection and remain undetected.

A new method to evade EDR detection and remain undetected.

Attackers are constantly refining their techniques to bypass cybersecurity systems. One of the latest methods they employ is the EDR Silencer, a tool designed to block the transmission of telemetry and alerts to Endpoint Detection and Response (EDR) platforms. This allows them to operate stealthily while avoiding detection by SOC analysts.

What is an EDR Silencer?

An EDR Silencer is a specialized tool used by attackers to evade EDR detection. It prevents telemetry and alerts from reaching EDR detection platforms, enabling malicious activities to continue undetected.

Prerequisites for Using an EDR Silencer

The use of an EDR Silencer is not accessible to just any attacker. It requires:

  1. Gaining control over a Windows machine – The attacker must have successfully executed their malicious code on the target machine.

  2. Administrator privileges – Without elevated privileges, modifying network filtering rules and blocking the EDR agent’s communications is impossible.

Windows Filtering Platform (WFP)

The EDR Silencer exploits a built-in Windows feature: Windows Filtering Platform (WFP). WFP is a set of APIs and system services that allow applications to create network filtering rules. Its primary function is to permit or block traffic based on predefined rules set by administrators or security software.

Attackers misuse this technology by injecting rules that block EDR agent communications with its telemetry server.

Limitations of EDR Silencers

It is important to note that using an EDR Silencer does not allow attackers to fully disable a robust EDR solution. Here’s what they can and cannot do:

✅ What an EDR Silencer can do:

  • Prevent the EDR from sending events and alerts to the cloud platform.
  • Conceal malicious activities from SOC analysts.

❌ What it cannot do:

  • Bypass self-protection mechanisms of a strong EDR.
  • Disable in-memory EDR protections.
  • Prevent the local blocking of malicious activities.

In other words, if a well-designed EDR blocks the execution of malicious code, the attacker remains trapped, even if alert transmission is blocked.

How to Detect an EDR Silencer?

An EDR Silencer operates by injecting specific network filtering rules that block EDR agent communications with its telemetry server.

Testing EDR Silencer Detection

At Ananta, we have developed a Proof of Concept (PoC) of an EDR Silencer in Rust, available here. This PoC allows cybersecurity researchers and professionals to test EDR solutions’ detection capabilities against this type of threat.

Our goal is to help organizations strengthen their detection and response mechanisms against such attacks.

Built-in Protection in Ananta EDR

The Ananta EDR agent includes advanced detection capabilities for EDR Silencers. This protection works by continuously monitoring:

  • WFP API
  • Windows Firewall

This ensures that any malicious network blocking attempt is detected, suspicious rules are removed, and an alert is raised on the platform.

This approach guarantees that the EDR agent cannot be blinded by an attacker trying to hide their actions.

Key Takeaways

EDR Silencers pose a real threat to cybersecurity by allowing attackers to hide their activities. However, these tools are not infallible, and a robust EDR can detect and neutralize such sabotage attempts.

At Ananta, we provide tools that not only test EDR resilience against this attack but also ensure effective protection for all your machines.

To learn more about our solution or to get support in testing our PoC, contact us today.

Share:
Back to Blog

Related Posts

View All Posts »