Windows Incident Response: EDRSilencer

Going unnoticed on an endpoint when we believe or feel that EDR is prevalent can be a challenge, and this could be the reason why these discussions have taken hold.
If you look at other aspects of EDR and SOC operations, there are plenty of opportunities using minimal/native tools to achieve the same effect; to have your actions not generate alerts that a SOC analyst investigates.
Situational AwarenessNot all threat actors have the same level of situational awareness.
I've seen threat actors where EDR has blocked their process from executing, and they respond by attempting to uninstall AV that isn't installed on the endpoint.
Yep, that's right...this was not preceded by a query attempting to determine which AV product was installed; rather, the threat actor when right to uninstalling ESET. In another instance, the threat actor attempted to uninstall Carbon Black; the monitored endpoint was running .
Again, no attempt was made to determine what was installed.
I did see one instance where the threat actor, before doing anything else or being blocked/inhibited, ran queries looking for running on 15 other endpoints.
From our dashboard, we knew that only 4 of those endpoints had running; the threat actor moved to one of the 11 that didn't.
I remember an organization several years ago that was impacted by a breach, and after discovering the breach, installed EDR on only about 200 endpoints, out of almost 15,000.
See p1k4chu's write up here; EDRSilencer works by creating a WFP rule to block the EDR EXE from communicating off of the host, which, to be honest, is a great idea.
So there are LOT of reasons why an EDR agent may cease communicating.
In 2000, I worked for an organization that had a rule that would detect significant time changes on all of their Windows endpoints.
The senior sysadmin and IT director would not do anything about the rules, and simply accepted that twice a year, we'd be inundated with these alerts for every endpoint.
My point is that when you're talking about global/international infrastructures, or MDRs, having a means of detecting when an agent is not communicating is a tough nut to crack; do it wrong and don't plan well for edge cases, and you're going to crush your SOC. If you read the EDRSilencer Github page and p1k4chu's write-up closely, you'll see that EDRSilencer uses a hard-coded list of EDR executables, which doesn't include all possible EDR tools.
P1k4chu's write up provides some excellent insights as to how to detect the use of EDRSilencer, even pointing out specific audit configuration changes to ensure that the appropriate events are written to the Security Event Log.
Once the change is made, the two main events of interest are Security-Auditing/5441 and Security-Auditing/5157.
P1k4chu's write-up also includes a Yara rule to detect the EDRSilencer executable, which is based in part on a list of the hard-coded EDR tools.
EDRNoiseMaker detects the use of EDRSilencer, by looking for filters blocking those communications.
The difference is that rather than blocking by executable, you need to know to where the communications are going, and add an entry so that the returned IP address is localhost.
I thought Dray's suggestion was both funny and timely; I used to do this for/to my daughter's computer when she was younger...I'd modify her hosts file right around 10pm, so that her favorites sites resolved to localhost, but other sites, like Google, were still accessible.


This Cyber News was published on windowsir.blogspot.com. Publication date: Mon, 15 Jan 2024 18:13:04 +0000


Cyber News related to Windows Incident Response: EDRSilencer

Incident Response Plan: How to Build, Examples, Template - A strong incident response plan - guidance that dictates what to do in the event of a security incident - is vital to ensure organizations can recover from an attack or other cybersecurity event and minimize potential disruption to company ...
10 months ago Techtarget.com
What is digital forensics and incident response? - Digital forensics and incident response is a combined set of cybersecurity operations that incident response teams use to detect, investigate and respond to cybersecurity events. As the acronym implies, DFIR integrates digital forensics and incident ...
10 months ago Techtarget.com
How to Conduct Incident Response Tabletop Exercises - An incident response tabletop exercise is an activity that involves testing the processes outlined in an incident response plan. Attack simulations are run to ensure incident response team members know their roles and responsibilities - and whether ...
11 months ago Techtarget.com
New Microsoft Incident Response team guide shares best practices for security teams and leaders - The incident response process can be a maze that security professionals must quickly learn to navigate-which is no easy task. Surprisingly, many organizations still lack a coordinated incident response plan, and even fewer consistently apply it. ...
1 year ago Microsoft.com
Windows Incident Response: EDRSilencer - Going unnoticed on an endpoint when we believe or feel that EDR is prevalent can be a challenge, and this could be the reason why these discussions have taken hold. If you look at other aspects of EDR and SOC operations, there are plenty of ...
11 months ago Windowsir.blogspot.com
4 key steps to building an incident response plan - In this Help Net Security interview, Mike Toole, head of security and IT at Blumira, discusses the components of an effective security incident response strategy and how they work together to ensure organizations can address cybersecurity issues. An ...
5 months ago Helpnetsecurity.com
How to build a cyber incident response team - As an incident response manager himself, Valentin regularly coordinates security responses for companies of all shapes and sizes - including many of the examples discussed in this post. He explains everything you need to know about building and ...
1 year ago Heimdalsecurity.com
How to create an incident response playbook - Creating and maintaining an incident response playbook can significantly improve the speed and effectiveness of your organization's incident response. To help, here's a crash course on what incident response playbooks are, why they are important, how ...
11 months ago Techtarget.com
A Heimdal MXDR Expert on Incident Response Best Practices and Myth Busting - I got to talk to Dragoș Roșioru, a seasoned MXDR expert, about incident response best practices and challenges. Get an in-depth understanding of the do's and don'ts in incident response as Dragoș explains how to avoid the most common mistakes ...
11 months ago Heimdalsecurity.com
Continuity in Chaos: Applying Time-Tested Incident Response to Modern Cybersecurity - Incident response is foundational to every security program, yet many companies still struggle with adoption and testing. He enumerated the top challenges of incident response at the time which were 1) Increasing complexity and sophistication of ...
11 months ago Securityweek.com
Important details about CIRCIA ransomware reporting - This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments. Ransomware attacks have become ...
6 months ago Securityintelligence.com
The Importance of Incident Response for SaaS - The importance of a thorough incident response strategy cannot be understated as organizations prepare to identify, investigate, and resolve threats as effectively as possible. Most security veterans are already well aware of this fact, and their ...
1 year ago Securityboulevard.com
Securities and Exchange Commission Cyber Disclosure Rules: How to Prepare for December Deadlines - Starting Dec. 18, publicly traded companies will need to report material cyber threats to the SEC. Deloitte offers business leaders tips on how to prepare for these new SEC rules. The U.S. Securities and Exchange Commission’s new rules around ...
1 year ago Techrepublic.com
Free & Downloadable Cybersecurity Incident Response Plan Templates - An effective cybersecurity incident response plan can be the difference between a minor disruption and a major crisis. This article provides you with comprehensive IRP templates in PDF, Word, and Google Docs formats to ensure your organization can ...
10 months ago Heimdalsecurity.com
CISA, FBI and EPA Release Incident Response Guide for Water and Wastewater Systems Sector - With WWS Sector contributions, guide provides recommended actions and available resources throughout cyber incident response lifecycle. WASHINGTON - The Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and ...
11 months ago Cisa.gov
Data Breach Response: A Step-by-Step Guide - In today's interconnected world, organizations must be prepared to respond swiftly and effectively in the face of a data breach. To navigate these challenges, a well-defined and comprehensive data breach response plan is essential. Let's explore the ...
10 months ago Securityzap.com
Effective Incident Response Relies on Internal and External Partnerships - Enterprise security teams are increasingly collaborating with members of other internal business functions and with external partners when responding to a security incident, according to a Dark Reading Research report on incident response. Security ...
11 months ago Darkreading.com
If you prepare, a data security incident will not cause an existential crisis - This happens when there's a lack of preparation, but we can all choose to take actionable steps to turn down the temperature during incident response and help others and ourselves re-frame the issue. Those who have built trusted internal and external ...
11 months ago Helpnetsecurity.com
What's the Best Way to Communicate After a Data Breach? - Ashley Sawatsky, Senior Incident Response Advocate, Rootly: No matter how well-prepared you are, experiencing a security breach is a massive challenge for organizations of any size. No matter what method you choose to share news - be it social media, ...
1 year ago Darkreading.com
Windows 10 Extended Security Updates Promised for Small Businesses and Home Users - Already common for enterprises, for the first time, individuals will also get the option to pay for extended security updates for a Windows operating system that's out of support. Windows 10 will stop getting free updates, including security fixes, ...
1 year ago Techrepublic.com
Understanding the New SEC Rules for Disclosing Cybersecurity Incidents - The U.S. Securities and Exchange Commission recently announced its new rules for public companies regarding cybersecurity risk management, strategy, governance, and incident exposure. "Currently, many public companies provide cybersecurity disclosure ...
1 year ago Feeds.dzone.com
Protecting credentials against social engineering: Cyberattack Series - Our story begins with a customer whose help desk unwittingly assisted a threat actor posing as a credentialed employee. In this fourth report in our ongoing Cyberattack Series, we look at the steps taken to discover, understand, and respond to a ...
1 year ago Microsoft.com
Manatee Memorial Hospital reporting ransomware attack, patient info affected - Manatee Memorial Hospital has announced that there has been a ransomware incident involving potentially impacted health information, but the information does not appear to have been misused. ESO, which is a third party vendor the hospital utilizes, ...
1 year ago Mysuncoast.com
Cloudflare Incident on January 24th, 2023 - An Overview - On January 24th, 2023, Cloudflare experienced an incident that impacted its customers globally. In this article, we will provide an overview analysis of the incident, its impacts on SEO, security, threats, etc. ...
1 year ago Blog.cloudflare.com
Pentest People Announces its Assured Service Provider status for NCSC's Cyber Incident Exercising Scheme - Pentest People, the Penetration Testing as a Service and cybersecurity experts, today announces it has become one of only a few companies in the UK to be an Assured Service Provider in the recently launched National Cyber Security Centre Cyber ...
9 months ago Itsecurityguru.org

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)