HackTool - EDRSilencer Execution
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
HackTool - EDRSilencer Execution | Standard | Windows Security Event Log (Process Creation) | T1562 – Defense Evasion: Impair Defenses | Trouble |
About the rule
Rule Type
Standard
Rule Description
Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events based on PE metadata, thereby impairing defenses.
Severity
Trouble
Rule journey
Attack chain scenario
Defense Evasion (Impair Defenses)
Impact
Disruption of security monitoring and prevention mechanisms, allowing adversaries to evade detection.
Rule Requirement
Prerequisites
Using Windows Event Viewer
- Log in to a domain controller with admin credentials.
- Open GPMC (gpmc.msc) and edit/create a GPO for the target OU.
- Go to:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking- Enable Audit Process Creation (Success)
- Enable Audit Process Termination (Success)
- Go to:
Computer Configuration > Administrative Templates > System > Audit Process Creation- Enable Include command line in process creation events
- Ensure registry key exists:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Security-Auditing\Operational
Using Sysmon
- Download and install Sysmon from Microsoft Sysinternals.
- Open Command Prompt as administrator.
- Use a config file with:
<ProcessCreate onmatch="exclude"/> - Install Sysmon:
sysmon.exe -i [configfile.xml] - Ensure registry key exists:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Sysmon\Operational
Criteria
Action1: actionname = "Process started" AND PROCESSNAME endswith "\EDRSilencer.exe" OR ORIGINALFILENAME = "EDRSilencer.exe" OR MESSAGE contains "EDRSilencer" select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
T1562 – Defense Evasion: Impair Defenses
Security Standards
Includes auditing, execution prevention, file and registry permission restrictions, software configuration, and user account management to safeguard security tools.
Author
@gott_cyber
Future actions
Known False Positives
Unlikely; detection based on distinctive process names and command-line indicators.
Next Steps
- Investigate instances of edrsilencer.exe execution or command lines referencing "EDRSilencer".
- Review and harden permissions related to security and logging services.
- Conduct forensic analysis to identify potential defense evasion.
- Strengthen auditing, application control, and permission policies.
- Verify secure software configurations and strong user account practices.
Mitigation
Mitigation ID | Name | Description |
M1040 | Behavior Prevention on Endpoint | Configure endpoint security solutions to block process injection techniques based on common behavioral patterns during injection. For example, on Windows 10, enable Attack Surface Reduction (ASR) rules to prevent code injection by applications such as Office and others. |
M1026 | Privileged Account Management | Restrict process injection by configuring kernel-level security controls. For Linux, use Yama (e.g., /proc/sys/kernel/yama/ptrace_scope) to limit ptrace use to privileged users only. Deploy advanced security modules like SELinux, grsecurity, or AppArmor to enforce access controls and process restrictions that mitigate injection techniques. |
