Silencing Modern EDRs: A Deep Dive into EDR Deployment, Telemetry Blocking, and Detection Strategies

Exploring the Impact and Detection of EDR Tampering in Virtual Environments

Introduction

In the dynamic realm of cybersecurity, deploying cloud-based Endpoint Detection and Response (EDR) systems like Kaspersky, Bitdefender, or Elastic on machines has become a standard practice for robust network defense. However, an emerging trend is the use of tools like EDRSilencer to block telemetry data of these EDRs. This blog post explores the deployment of cloud-based EDRs, the role of EDRSilencer, its implications, and the detection of such practices using tools like EDRNoiseMaker.

Deploying Cloud-Based EDR on Virtual Machines

The first step in bolstering your network’s security involves deploying a cloud-based EDR solution. These EDR systems, when installed on virtual machines, offer real-time monitoring, threat detection, and response capabilities. The choice between solutions like Kaspersky, Bitdefender, and Elastic depends on specific organizational needs and the specific security features they offer. In this article, we will undertake the task of deploying the Kaspersky Cloud EDR on a virtual platform. Our focus will be to methodically explore the process of obstructing its telemetry transmission utilizing the EDRSilencer tool. Subsequently, we will delve into the procedure of re-enabling this telemetry feature by employing the capabilities of EDRNoiseMaker. This structured approach will provide us with a comprehensive understanding of the operational dynamics and the interplay between these sophisticated cybersecurity tools.

What is EDRSilencer?

EDRSilencer Tool is a C/C++ program that is designed for managing Windows Filtering Platform (WFP) filters. WFP is a network packet filtering technology in Windows that allows you to filter and control network traffic at the packet level. The program focuses on blocking network traffic generated by specific Endpoint Detection and Response (EDR) security software and other security-related processes.

The Role of EDRSilencer in Blocking Telemetry

EDRSilencer is used to block the telemetry of EDR solutions. Telemetry, which includes logs, system metrics, and operational data, is crucial for EDRs to function effectively. However, there can be scenarios where blocking this telemetry is desired, either for privacy reasons or to prevent excessive data transmission. EDRSilencer intervenes in this process, potentially allowing the whitelisting of certain executables, even if detected as malicious.

Blocking the telemetry of Kaspersky using EDRSilencer

An example of a tool similar to EDRSilencer is found in the GitHub repository "mhydeath". This tool represents a more advanced approach to EDR manipulation, showcasing the sophisticated methods that can be employed to silence or disrupt EDR functionalities. However, it's crucial to note the ethical and legal implications of using such tools.

Unblocking the Telemetry using EDRNoiseMaker

The purpose of EDRNoiseMaker is centered on the identification of tools that might silence or inhibit the functions of an Endpoint Detection and Response (EDR) system, such as EDRSilencer and FireBlock. EDRNoiseMaker operates by examining a list of executable files that may have been muted or restricted using the Windows Filtering Platform (WFP). This approach is a response to the tactics used by EDRSilencer and FireBlock, which are designed to attack and potentially disable EDR systems. EDRNoiseMaker's detection method is focused on ensuring that EDR systems continue their operational integrity without being compromised by these silencing tools.

To unblock the telemetry of Kaspersky, we have to add the executable file of Kaspersky in the executables list of EDRNoisemaker.

List of commands check and unblock the telemetry of Kaspersky using EDRNoiseMaker

Conclusion

In this insightful journey through the realms of cybersecurity tools, we have witnessed the intriguing interplay between EDRSilencer and EDRNoiseMaker in the context of managing Kaspersky's telemetry. Initially, we observed the strategic application of EDRSilencer, a tool adept at curtailing the telemetry functions of Kaspersky. This process, leveraging the capabilities of the Windows Filtering Platform (WFP), effectively muted the outbound communication of the EDR, serving as a demonstrative case of the tool's proficiency in silencing.

However, the narrative took a compelling turn with the introduction of EDRNoiseMaker. Ingeniously designed to counteract the effects of tools like EDRSilencer, EDRNoiseMaker stepped in to unravel the silencing. By meticulously scanning for executables that were muted by EDRSilencer, EDRNoiseMaker not only identified the affected components but also played a crucial role in reinstating the normal telemetry operations of Kaspersky. This restoration marked a pivotal moment, showcasing EDRNoiseMaker's vital role in safeguarding the integrity of EDR systems against such silencing attempts.

Through this exploration, we've gained valuable insights into the dynamic nature of cybersecurity, where tools are continuously evolved and counterbalanced to maintain the security equilibrium. This blog's journey underscores the importance of understanding and responsibly managing such powerful tools in the cybersecurity landscape.

Remember, the world of cybersecurity is ever-evolving, and staying informed is key to maintaining robust defenses against emerging threats.