EDR Killers: Detect and Prevent With Managed Detection and Response
Red teams have used endpoint detection and response (EDR) Killer tools for years. These tools allow teams to bypass endpoint security agents and expose vulnerabilities that pose a risk to all organizations.
To address this global concern about cybersecurity tool bypassing, including EDR, ForeNova, a global managed detection and response (MDR) provider, created NovaMDR. The NovaMDR service monitors several areas within the enterprise network, including the endpoint, to ensure hackers do not bypass the various control tools and propagate their attacks across their clients’ networks.
Are you concerned about EDR killers bypassing your security controls? The ForeNova team has an excellent demo of NovaMDR available today!
What are EDR Killers?
EDR killers have the sole purpose of impairing cybersecurity tools to allow for further attack propagation into their victim’s networks.
Like other cybersecurity tools, firewalls, VPNs, wireless, and host-based IPS, NDR tools have known vulnerabilities. Software developers will issue emergency patches to remediate these vulnerabilities during outside maintenance release windows.
Hackers accessing EDR killers from the dark web and other sources leverage these tools to find and exploit vulnerabilities. Bypassing EDR using these rogue tools happens across the host level, kernel level, and within file directories.
Once the EDR defensive tools become disabled, hackers access critical parts of their victim’s network, including data.
The Black Market for EDR Evasion Tools
Hackers continue to gain access to or develop their own EDR Killers’ tools. Creating their own EDR bypass tools is commonly called the “Bring Your Vulnerable Driver (BYOVD)” attack method.
Here are some examples of known EDR killers found on the dark web and open marketplaces:
KernelMode
KernelMode tools is a typical red team utility that used to test several EDR solutions, including Bitdefender, CrowdStrike, and Cylance. The tool doesn’t disable EDR; it simply proves various vulnerabilities within the application file and memory areas.
EDRSilencer
EDRSilencer focuses on blocking the EDR tool’s ability to send valuable telemetry information to the centralized management console. This attack vector exploits the Windows Filtering Platform (WFP) to block communication between the EDR client and the central management console, including any alerts.
EDRKillShifter
These crafty tools help hackers stop the current NDR service, load malware files that include a rogue driver into the memory and drop a new .sys file into the \AppData\Local\Temp folder. The malware then restarts the NDR service with the rogue .exe files.
Terminator
“Terminator employs BYOVD by loading vulnerable Zemana anti-malware drivers, allowing attackers to execute malicious code in kernel mode and terminate any system or user processes, including detection mechanisms.”
AuKill
Threat actors use the “AuKill” tool to turn off enterprise EDR defenses before deploying ransomware. The tool infiltrates systems using malicious device drivers, dropping similar .sys files to overwrite existing ones. AuKill effectively halts multiple NDR processes, preventing their restart.
MS4Killer
MS4Killer terminates kernel security products by exploiting a global variable’s vulnerable driver. Global hacking group Embargo added features including endless scanning of processes and hard-coded names of processes to kill within the binary
Limitations of Relying Solely on EDR
Bypassing EDR and other security adaptive controls happens. Regardless of manufacturing, every tool has vulnerabilities that are prone to exploitation. Preventing these exploits is nearly impossible because organizations depend overly on the software provider to fix the problem.
Specifically, CrowdStrike released an untested security patch that caused a global shutdown of their Falcon agent. This lack of QA control affected global international firms, including Microsoft and Delta Airlines.
Like other security tools, EDR processes much security telemetry information daily. This processing creates data set analysis to help clients defend against zero-day attacks. No security is 100% foolproof. False positives and false negatives exist even with tools based on artificial intelligence.
Hackers Executing Effective Kill Chains Against NDR
Because of the ease of use of NDR killer tools, hackers continue to incorporate several of these utilities into a single kill chain.
Here is an example:
- Identifying application file vulnerabilities; KernelMode
- Stop existing NDR services: Terminator and AuKill
- Load new payload into memory; EDRKillShifter
- Block all telemetry from the NDR agent to the console; the EDRSilencer
Security operations teams could also see the execution of denial-of-service (DoS) attacks against their border routers, an increase in AI-powered email phishing attacks, or brute force attacks against identity management systems, as part of the kill chain.
Preventing kill chains requires more than one security adaptive control. Continuous monitoring, complete visibility, and observability with automated incident response are essential in avoiding successful kill-chain attacks.
The Importance of a Layered Cybersecurity Approach
Attacks occur in various locations inside the network. Hackers continuously use automated penetration tools and techniques to scan their victims’ networks, hosts, and devices for vulnerabilities that become easily exploited. Most penetration tests are fully automated, including the ability for the rogue scanning agents report to the hacker’s command and control (C&C) servers any vulnerabilities open for future exploits.
Preventing an EDR solution’s bypass starts with a layer of defense combined with continuous monitoring, automated incident response, and reporting. However, hackers will use EDR killer tools to bypass these security controls. Other red team tools in the wild have also affected anti-virus, email security, and network detection and response (NDR).
Organizations migrating from a reactionary cyber-defensive mindset to a more proactive approach recognize the need to deploy several next-generation adaptive controls. These tools, including next-generation firewalls (NGFW), zero-trust architectures, SASE cloud with SD-WAN, MFA, EDR, NDR, and XDR tools, require a comprehensive security operations team, process, and easy-to-follow standard operating procedures.
As engineers consume more tools, the operations layer becomes more challenging. Organizations that invest minimal human capital, talent, training, and managed services experience more cybersecurity attacks and data losses.
Investing in talent combined with managed services helps organizations maximize their investments in these proactive security tools.
Continuous Monitoring and Threat-Hunting
Organizations that want to stay ahead of NDR kill chain attacks spend considerable capital on next-generation tools. These tools, combined with continuous monitoring, threat hunting, and threat modeling, help organizations become more proactive in their cybersecurity posture.
Leveraging managed service providers with threat-hunting and modeling expertise is critical to dealing with NDR killers.
These services help organizations analyze NDR killer attacks to better prepare for future engagement. Threat hunting helps review possible future NDR vulnerabilities within the enterprise. This forward-thinking analysis helps organizations expedite patching and other remediation before the next NDR.
Threat modeling is also a critical service. This function focuses on the impact of an NDR killer attack. Organizations face vulnerability risk across their entire enterprise. Threat modeling helps determine which area of vulnerability has a financial and operational impact on the organization.
The output from threat modeling and threat hunting helps set a priority level regarding continuous monitoring. While SecOps teams using a SIEM can monitor everything within the network, including asset protection prioritization. This critical step will fight alert fatigue even with AI tools enabled.
Managed providers like ForeNova work with their clients to help determine asset protection priorities and automated incident response requirements.
The Role of MDR in Detecting EDR Killers
MDR providers like ForeNova are critical in protecting clients from NDR killer attacks. Monitoring of endpoints is one of their most valuable services within the NovaMDR solution offering. Monitoring endpoints is essential in stopping attacks against these devices.
The NovaMDR service looks for endpoint agent services that are becoming unresponsive or not sending updated telemetry promptly. The team at ForeNova also monitors several other areas within their client’s networks, looking for ransomware propagation that may have originated from an initial NDR attack.
ForeNova’s security engineers can quickly respond to an NDR killer event and other cyberattacks using continuous monitoring and threat analysis. Their extensive observability of their client’s environment, combined with telemetry captured from different sources, helps the ForeNova team deliver a far more accurate and effective proactive security posture.
Why ForeNova?
Experience, expertise, and proven methods across several industries make ForeNova a leader in the MDR space. Many MDR providers specialize in specific sectors or offer minimal service engagement. ForeNova, powered by its NovaMDR offering, delivers a wide range of security capabilities. These capabilities align strongly with various European Union compliance mandates, including GDPR.
ForeNova’s NovaMDR solution also provides 24/7 monitoring and response capabilities, ensuring a rapid and effective response to any security incidents. By partnering with ForeNova, organizations can enhance their cybersecurity defenses and minimize the risk of data breaches.
Interested in learning more about ForeNova’s NovaMDR solution to help stop NDR killers?
Click here to schedule a demo today with the engineers at ForeNova!
Share This Article
