Guarding Against EDR Killers: Guidance for Enhanced Security

By: Diara D.

Recently, a new EDR-killing utility dubbed “EDRKillShifter” was discovered by Sophos analysts. It was found being used by threat actors during a RansomHub ransomware attack to disable endpoint protections. In the past few years, there has been a noticeable uptick in the usage of “EDR Killers” during cybersecurity attacks, a technique increasingly being employed by ransomware gangs and state-sponsored threat groups.

The term “EDR Killer” generally refers to tools and techniques designed to bypass, disable, or evade Endpoint Detection and Response (EDR) systems. These systems monitor and analyze activity on an organization’s computer equipment to detect and respond to cybersecurity threats. In recent years, EDR has become crucial in many environments to quickly identify malicious activity and has therefore become more of a target for threat actors seeking to successfully carry out their attacks.

Bring Your Own Vulnerable Driver

A common technique observed before EDR tools can be bypassed or disabled is to Bring Your Own Vulnerable Driver (BYOVD), which allows kernel-level permissions needed to tamper with EDR protections. Drivers are low-level software components that facilitate communication between the operating system and hardware devices. Some legitimate drivers have vulnerabilities that can be exploited by attackers to execute arbitrary code with elevated privileges. Windows by default enables a policy called Driver Signature Enforcement that is meant to ensure any kernel-mode driver has a valid digital signature before it is loaded. These vulnerable drivers are appealing because they already come with a valid digital signature. Otherwise, a threat actor would need to create a custom driver and obtain a stolen or leaked code-signing certificate to get past this blocker.

To perform this technique, an attacker needs to identify if a vulnerable driver is already present on a system or can be introduced. Drivers may originate from various sources, including commercial software, the operating system, hardware, or open-source code. Once the driver is deployed, the threat actor can exploit the vulnerability to gain higher level privileges on the system. This may allow them to bypass security features and execute code that would otherwise be blocked by security solutions. EDR Killers frequently utilize the BYOVD technique because it allows them to disable or unhook EDR components that operate at a low level in the operating system. By using the vulnerable driver, the utility can gain the necessary privileges to terminate or tamper with EDR processes on an endpoint and continue their attack. Once a vulnerable driver is loaded and exploited, it can also be re-used to maintain persistence in the system.

As noted earlier, “EDRKillShifter” is a recently discovered malware tool that uses the BYOVD technique to disable EDR. EDRKillShifter operates by launching with a password to decrypt and execute a resource in memory, which then unpacks and deploys the final

payload which drops and exploits a vulnerable driver to escalate privileges and disable EDR protections. It has been observed using drivers like RentDrv2 and ThreatFireMonitor, both of which have exploits available on GitHub. It is likely that the tool is being used by multiple attackers using various final payloads.

Another commonly used EDR Killer that utilizes BYOVD is the Terminator tool. Terminator emerged in May 2023 when it was advertised for sale on a Russian-language ransomware forum. It became notable for exploiting vulnerable drivers from Zemana, an anti-malware tool. Specifically, the zam64.sys (Zemana Anti-Logger) and zamguard64.sys (Zemana Anti-Malware) were abused. The drivers contain a vulnerability that allows attackers to add their malicious processes to a driver’s allow list, enabling them to issue IOCTL (Input/Output Control) commands to disable EDR and antivirus solutions. The Terminator attack requires either administrative privileges or a successful UAC (User Access Control) bypass. When privilege has been gained, the attacker can leverage the vulnerable driver to terminate security processes by sending specific IOCTL codes.

AvNeutralizer (also known as AuKill) is yet another BYOVD-based EDR killer. Developed by FIN7, an APT (Advanced Persistent Threat) originating from Russia, AvNeutralizer has been observed in use as early as November 2022. It was originally used exclusively by the Black Basta ransomware group, but updated versions of the tool were seen in use by other ransomware groups as well starting in 2023, and it has been seen being sold on hacking forums. In 2023, it was reported that the AuKill tool was abusing the Process Explorer driver in a similar way to the open-source tool Backstab. The Process Explorer driver, part of the Sysinternals suite of administrative tools and signed by Microsoft, is a driver that normally interacts with running processes. More recent versions of the tool appear to use anti-analysis methods as well as ProcLaunchMon.sys, a built-in Windows driver, in addition to Process Explorer. Though the tool requires administrative privileges, it can effectively terminate security software by closing protected processes.

Beyond BYOVD

While BYOVD-based tools are a popular choice for bypassing EDR, they are by no means the only option. Brute Ratel and similar tools, such as Cobalt Strike, are advanced post-exploitation frameworks that were developed for red teaming and penetration testing but are often abused by threat actors. These tools can act as EDR killers by employing sophisticated techniques to evade detection, bypass security controls, and disable EDR systems. Tools like Brute Ratel can evade EDR detection by injecting malicious code into legitimate processes, running payloads directly in memory, obfuscating payloads, and encrypting C2 traffic. It may also attempt to disable EDR components by stopping their processes, terminating related services, or modifying critical system files or registry entries that EDR relies upon. It can disable or bypass user-mode hooks that EDR tools use to monitor system behavior. Additionally, it can leverage “Living Off the Land” (LotL) binaries to perform malicious actions, which are more difficult to detect than typical malware.

The methods used by tools like Brute Ratel to evade, bypass, and disable EDR differ from tools using BYOVD. Brute Ratel operates mainly at the user level to use techniques like process injection, in-memory execution, and payload obfuscation, whereas BYOVD-based tools exploit vulnerabilities in legitimate drivers at the kernel level, allowing them to disable

or unhook EDR systems at a deeper level of the operating system. Brute Ratel can also be effective without elevated privileges, though completely disabling security software may require administrator rights. BYOVD-based tools require elevated privileges to load and exploit the driver. Brute Ratel is also generally more sophisticated and stealthier, utilizing user-mode evasion techniques that are less likely to crash a system. BYOVD-based tools are riskier, as manipulating kernel-mode drivers can quickly lead to system instability. However, if successful, they can be much more powerful than a tool such as Brute Ratel and can essentially completely neutralize EDR tools.

How to Protect Your Organization

Clearly, the development of tools focused on bypassing and disabling EDR protections isn’t going to slow down anytime soon. New EDR evasion tools appear frequently on GitHub and other open-source platforms, and they reportedly continue to be sold at low price points on the black market. As threat actors continue to access these tools more easily, including needing fewer technical skills to deploy, it is imperative to consider a multi-factor approach to protect your environment.

While EDR vendors use signature-based, behavioral-based, and even AI-powered detections to continually keep up with malicious actors’ evolving tools and techniques, there are additional ways that you can help keep your organization protected against these threats.

Enable Tamper Protection in EDR

• Many EDR vendors provide tamper protection that can help prevent unauthorized users from disabling or modifying EDR settings.
• Ensure tamper protection is enabled for all endpoints and regularly review the settings to confirm they haven’t been changed without your knowledge.
• Implement and monitor alerts for any changes made to tamper protection settings.

Blocking Vulnerable Drivers

• Blocking drivers known to be vulnerable can prevent their exploitation, but doing so can disrupt legitimate business operations. Use caution when choosing drivers to block in your environment.
• Consider blocking drivers that aren’t installed in your environment or creating an allowlist for only necessary drivers and reviewing and updating the list based on any changes in your environment or new threat intelligence. o Microsoft provides more information about blocking vulnerable drivers here. LOLDrivers also provides a list of Window drivers that threat actors may use to bypass security controls, and Sigma detections have been written and continue to be updated with new IOCs.

Keep Operating Systems and Applications Updated

• Regular OS (Operating System) updates can prevent the exploitation of known vulnerabilities, including those used by BYOVD attacks.
• Microsoft and other vendors frequently release updates and patches that will de-certify or block abused drivers.
• Consider using a centralized software management system to oversee updates across your environment and prioritize updates for software that interacts with sensitive data and critical systems.
• Remove any outdated software that you no longer need.

Defense in Depth

• Implementing a multi-layered security approach can help ensure that if one layer is compromised, the others can still provide protection. This could include adding security solutions beyond EDR, such as antivirus, firewalls, or behavioral analytics tools.
• Consider using NDR tools to monitor network traffic to help detect malicious activity that might bypass your EDR tool. NDR platforms can identify unusual traffic patterns, communication with known malicious domains, or attempts to exfiltrate data.
• Diversifying vendors may also help, as each may have unique detection capabilities.
• Ensure that the different layers are properly integrated to avoid gaps, and regularly test the effectiveness of each layer to adapt to evolving threats.

Network Segmentation

• Use micro-segmentation to isolate critical systems and sensitive data from the rest of the network. This may limit an attacker’s ability to move laterally within your environment, even if EDR protections are bypassed on an endpoint.
• Put your EDR management systems on a separate secure network segment to add an extra layer of protection. This can make it more difficult for attackers to disable or tamper with your EDR infrastructure.
• Use Network Access Control (NAC) to enforce your security policies and control access to different network segments. Devices that are not in compliance can be isolated and prevented from potentially spreading malware or being exploited.

Conduct Vulnerability Assessments

• Regular vulnerability assessments can help identify any existing vulnerable drivers or other weaknesses in your environment. This can help you to mitigate before an attack can occur.
• Use automated vulnerability scanners along with manual assessments to identify issues that may otherwise be overlooked and remediate high-priority vulnerabilities as soon as possible.

User Education and Least Privilege Access Control

• Educating users on security best practices, including the risks of running an application with elevated privileges is critical in preventing EDR killers from gaining a foothold in your environment. Training should cover the importance of UAC and how attackers may attempt to bypass it.
• The BYOVD technique relies on elevated privileges to load and exploit a vulnerable driver, and tools like Brute Ratel may require administrative rights to perform certain tasks like disabling security software. Consider using the principle of least privilege to limit admin rights, elevated privileges, and access to resources to only those employees who require it for their roles.