{
	"id": "2f37bae1-2659-4f87-b9f2-e75635963668",
	"created_at": "2026-04-06T01:31:30.348246Z",
	"updated_at": "2026-04-10T03:21:58.125771Z",
	"deleted_at": null,
	"sha1_hash": "d70f44ec3a6333de3148bd216a4daac4993014e7",
	"title": "Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1863371,
	"plain_text": "Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint\r\nSecurity Solutions\r\nBy Jacob Santos, Cj Arsley Mateo, Sarah Pearl Camiling ( words)\r\nPublished: 2024-10-15 · Archived: 2026-04-06 00:41:28 UTC\r\nCyber Threats\r\nTrend Micro's Threat Hunting Team has observed EDRSilencer, a red team tool that threat actors are attempting to\r\nabuse for its ability to block EDR traffic and conceal malicious activity.\r\nBy: Jacob Santos, Cj Arsley Mateo, Sarah Pearl Camiling Oct 15, 2024 Read time: 7 min (1858 words)\r\nSave to Folio\r\nSummary\r\nThe Trend Micro Threat Hunting Team has observed that EDRSilencer, a red team tool originally designed to\r\ninterfere with endpoint detection and response solutions via the Windows Filtering Platform, is actively being\r\nused by threat actors.\r\nOur internal telemetry showed threat actors attempting to integrate EDRSilencer in their attacks, repurposing\r\nit as a means of evading detection.\r\nEDRSilencer disrupts the transmission of telemetry or alerts to EDR management consoles, which\r\ncomplicates the identification and removal of malware.\r\nThe tool dynamically identifies any running EDR processes and creates WFP filters to block their outbound\r\ncommunication.\r\nDuring testing, it was also found to block communication for processes not included in its hardcoded list,\r\nfurther demonstrating its effectiveness.\r\nRed team toolsopen on a new tab, which identify and address weaknesses in an organization’s security infrastructure,\r\nare crucial to the improvement of its overall security posture. However, threat actors are continuously finding ways\r\nto repurpose these tools for malicious purposes. Recently, the Trend Micro Threat Hunting Team has observed the\r\nuse of EDRSilenceropen on a new tab, a red team tool that is able to interfere with endpoint detection and response\r\n(EDR) solutions by leveraging the Windows Filtering Platform (WFP). According to the author of this tool, it was\r\ninspired by the closed-source tool FireBlockopen on a new tab by MdSec NightHawk.\r\nEDRs are security tools that monitor endpoints like computers for signs of malicious activity. EDRSilenceropen on a\r\nnew tab is designed to block network communication for processes associated with various EDR products. This\r\ninterference can prevent EDR solutions from sending telemetry or alerts to their management consoles, making it\r\nsignificantly harder to identify and remove malware. It is effective in blocking network communication for processes\r\nassociated with various EDR products (Table 1).\r\nhttps://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html\r\nPage 1 of 10\n\nThe WFP is a powerful framework built into Windows for creating network filtering and security applications. It\r\nprovides APIs for developers to define custom rules to monitor, block, or modify network traffic based on various\r\ncriteria, such as IP addresses, ports, protocols, and applications. WFP is used in firewalls, antivirus software, and\r\nother security solutions to protect systems and networks.\r\nHowever, this tool demonstrates a technique that can be used by adversaries to evade detection: By blocking EDR\r\ntraffic, malware could potentially remain hidden on a system, making it harder to identify and remove.\r\nUnderstanding how this code works is crucial for defenders to develop effective countermeasures.\r\nEDR Product Process\r\nCarbon Black Cloud RepMgr.exe, RepUtils.exe, RepUx.exe, RepWAV.exe, RepWSC.exe\r\nCarbon Black EDR cb.exe\r\nCisco Secure Endpoint\r\n(Formerly Cisco AMP)\r\nsfc.exe\r\nCybereason\r\nAmSvc.exe, CrAmTray.exe, CrsSvc.exe, ExecutionPreventionSvc.exe,\r\nCybereasonAV.exe\r\nCylance CylanceSvc.exe\r\nElastic EDR winlogbeat.exe, elastic-agent.exe, elastic-endpoint.exe, filebeat.exe\r\nESET Inspect EIConnector.exe, ekrn.exe\r\nFortiEDR fortiedr.exe\r\nHarfanglab EDR hurukai.exe\r\nMicrosoft Defender for\r\nEndpoint and Microsoft\r\nDefender Antivirus\r\nMsMpEng.exe, MsSense.exe, SenseIR.exe, SenseNdr.exe, SenseCncProxy.exe,\r\nSenseSampleUploader.exe\r\nPalo Alto Networks\r\nTraps/Cortex XDR\r\nTraps.exe, cyserver.exe, CyveraService.exe, CyvrFsFlt.exe\r\nQualys EDR QualysAgent.exe\r\nSentinelOne\r\nSentinelAgent.exe, SentinelAgentWorker.exe, SentinelServiceHost.exe,\r\nSentinelStaticEngine.exe, LogProcessorService.exe,\r\nSentinelStaticEngineScanner.exe, SentinelHelperService.exe,\r\nSentinelBrowserNativeHost.exe\r\nTanium TaniumClient.exe, TaniumCX.exe, TaniumDetectEngine.exe\r\nTrellix EDR xagt.exe\r\nhttps://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html\r\nPage 2 of 10\n\nTrendMicro Apex One\r\nCETASvc.exe, WSCommunicator.exe, EndpointBasecamp.exe, TmListen.exe,\r\nNtrtscan.exe, TmWSCSvc.exe, PccNTMon.exe, TMBMSRV.exe,\r\nCNTAoSMgr.exe, TmCCSF.exe\r\nTable 1. List of executable names associated with common EDR products terminated by EDRSilencer\r\nThe code leverages WFP by dynamically identifying running EDR processes and creating WFP filters (Figure 1) to\r\nblock their outbound network communications on both the internet protocols IPv4 and IPv6, effectively preventing\r\nEDRs from sending telemetry or alerts to their management consoles (Figure 2).\r\nTo verify whether the EDR was effectively blocked by EDRSilencer, we utilized EDRNoiseMakeropen on a new\r\ntab, a tool available on GitHub that is designed to identify potential silencers of an EDR or a process of the user's\r\nchoosing (Figure 4). It tries to detect the silenced processes by examining a list of executables that have been\r\nsilenced using WFP, which corresponds directly to the functionality of EDRSilencer.\r\nopen on a new tab\r\nhttps://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html\r\nPage 3 of 10\n\nFigure 1. EDRSilencer configures a WFP filter to block specific application connections and sets up\r\nthe corresponding provider\r\nThe WFP filters are marked as persistent, ensuring that they remain active even after the code has finished executing\r\nor the system is rebooted.\r\nThe tool provides a command-line interface with the following options:\r\nblockedr - Automatically block traffic from all detected EDR processes\r\nblock \u003cpath\u003e - Block traffic from a specific process specified by its full path\r\nunblockall - Remove all WFP filters created by the tool\r\nunblock \u003cfilter id\u003e - Remove a specific WFP filter using its ID\r\nDuring our investigation, we tested the tool with our Vision One Endpoint Agent. On the first attempt using the tool\r\nwith the blockedr argument, the endpoint agent was still able to send outbound traffic, as some executable files\r\nreporting to Vision One are not included in the hardcoded list.\r\nopen on a new tab\r\nFigure 3. Log shows a list of processes that have been found running related to EDR or antivirus\r\nproducts\r\nopen on a new tab\r\nFigure 4. Using EDRNoiseMaker to confirm that rules have been made. This will show the ID and the\r\npath of executables that were blocked with custom outbound filter.\r\nhttps://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html\r\nPage 4 of 10\n\nopen on a new tab\r\nFigure 5. Although the processes have been blocked, the EDR is still able to send telemetry based on\r\nthe endpoint logs\r\nOn the second attempt, we first checked for running Trend Micro products, saw two processes running that were not\r\nincluded in the hardcoded list (Figure 6) and copied their respective full file paths. We then used both blockedr and\r\nblock \u003cpath\u003e arguments to apply the filters (Figure 7). When we executed a ransomware binary, no logs were\r\nreflected on the portal; the device appeared disconnected or inactive, which indicates that the tool was effective\r\n(Figure 9). By utilizing the same command line for blockedr as shown in Figure 5, along with the block \u003cpath\u003e\r\ncommand illustrated in Figure 8, EDRSilencer successfully blocked the logs from the endpoint.\r\nhttps://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html\r\nPage 5 of 10\n\nopen on a new tab\r\nFigure 6. Task Manager showing other Trend Micro processes like Trend Micro Response Service and\r\nTrend Micro Cloud Endpoint Service, which are not included in the hardcoded list\r\nopen on a new tab\r\nFigure 7. Blocking processes using the complete path of binary of EDR or antivirus\r\nhttps://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html\r\nPage 6 of 10\n\nopen on a new tab\r\nFigure 8. Vision One Search Platform showing that there are no new logs indicating ransomware\r\nactivity from the endpoint after using blockedr and block \u003cpath\u003e argument\r\nopen on a new tab\r\nFigure 9. The device was disconnected or inactive, which indicates that EDRSilencer is effective\r\nAttack Chain\r\nAs shown in Figure 10, EDRSilencer is executed as follows:\r\nProcess Discovery\r\nThe attack chain begins with the process discovery phase, where EDRSilencer scans the system to compile a list of\r\nrunning processes associated with common EDR products.\r\nExecution\r\nIn the execution phase, the attacker runs EDRSilencer using the blockedr argument to block traffic from all detected\r\nEDR processes. Alternatively, the attacker can use the block \u003cpath\u003e argument to block traffic from a specific\r\nprocess by providing its full path.\r\nPrivilege Escalation\r\nMoving to privilege escalation, EDRSilencer configures WFP filters to block outbound network communications for\r\nboth IPv4 and IPv6 protocols. These filters are marked as persistent, ensuring they remain effective even after the\r\nsystem reboots. The tool dynamically identifies running EDR processes and applies WFP filters to block their\r\ncommunications.\r\nImpact\r\nhttps://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html\r\nPage 7 of 10\n\nFinally, EDR tools are rendered ineffective as they are unable to send telemetry, alerts, or other data to their\r\nmanagement consoles. During testing, it was observed that some EDR processes were still able to communicate\r\nbecause they were not included in the hardcoded list. After identifying and blocking additional processes not\r\nincluded in the hardcoded list, the EDR tools failed to send logs, confirming the tool’s effectiveness. This allows\r\nmalware or other malicious activities to remain undetected, increasing the potential for successful attacks without\r\ndetection or intervention.\r\nConclusion\r\nIn our ongoing efforts to monitor and mitigate emerging threats, we have observed based on our internal telemetry\r\nthat certain threat actors are attempting to leverage EDRSilencer as part of their attack strategies. This highlights the\r\nongoing trend of threat actors seeking more effective tools for their attacks, especially those designed to disable\r\nantivirus and EDR solutions.\r\nThe emergence of EDRSilencer as a means of evading endpoint detection and response systems marks a significant\r\nshift in the tactics employed by threat actors. By disabling critical security communications, it enhances the stealth\r\nof malicious activities, increasing the potential for successful ransomware attacks and operational disruptions. This\r\nis indicative of an evolving threat landscape that necessitates a proactive and adaptive security posture, combining\r\nmulti-layered defenses and continuous monitoring to mitigate risks. Organizations must remain vigilant, employing\r\nadvanced detection mechanisms and threat hunting strategies to counteract these sophisticated tools and protect their\r\ndigital assets. As threat actors continue to innovate, Trend Micro persists in its commitment to enhancing security\r\nmeasures and sharing insights to safeguard against future attacks.\r\nSecurity recommendations\r\nTrend Micro products already detect this tool as malware. As an additional layer of protection, Behavior Monitoring\r\n(AEGIS) also flags this malware’s behavior and prevents its execution for Trend Micro products that have this\r\nadvanced detection feature enabled.\r\nWe have also developed a suite of proactive detection strategies and solutions that security practitioners can apply to\r\nidentify and neutralize this threat before it can be fully deployed and exploited by threat actors:\r\nImplementing multi-layered security controls\r\nNetwork segmentation - Isolate critical systems and sensitive data to limit lateral movement\r\nDefense-in-depth - Use multiple layers of security controls (including firewalls, intrusion detection\r\nsystems, antivirus, and EDR) to create redundancy.\r\nEnhancing endpoint security\r\nBehavioral analysis - Deploy security solutions that use behavioral analysis and anomaly detection to\r\nidentify unusual activities that might bypass traditional EDR\r\nApplication whitelisting - Only allow approved applications to run, reducing the risk of malicious\r\nsoftware execution.\r\nConducting continuous monitoring and threat hunting\r\nThreat hunting - Proactively search for indicators of compromise (IoCs) and advanced persistent\r\nthreats (APTs) within your network.\r\nhttps://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html\r\nPage 8 of 10\n\nImplementing strong access controls\r\nPrinciple of least privilege - Ensure users and applications have the minimum level of access\r\nnecessary to perform their functions.\r\nTrend Micro Vision One Threat Intelligence \r\nTo stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat\r\nInsights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they\r\nhappen and be better prepared for emerging threats. It offers comprehensive information on threat actors, their\r\nmalicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive steps\r\nto protect their environments, mitigate risks, and respond effectively to threats.\r\nTrend Micro Vision One Intelligence Reports App [IOC Sweeping]\r\nEDRSilencer Compromising Endpoint Security Monitoring\r\nTrend Micro Vision One Threat Insights App\r\nEmerging Threats:  EDRSilencer Compromising Endpoint Security Monitoringopen on a new tab\r\nHunting Queries\r\nTrend Micro Vision One Search App\r\nTrend Micro Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in\r\nthis blog post with data in their environment.   \r\nDetecting potential incidents involving EDRSilencer\r\nmalName:*Win64.EDRSilencer* AND eventName:MALWARE_DETECTION\r\nMore hunting queries are available for Vision One customers with Threat Insights Entitlement enabledopen on a new\r\ntab.\r\nMITRE ATT\u0026CK Tactics and Techniques\r\nTactic Technique MITRE ID\r\nDiscovery Process Discovery T1057\r\nExecution Command and Scripting Interpreter T1059\r\nPrivilege Escalation Create or Modify System Process T1543.00\r\nDefense Evasion\r\nImpair Defenses: Disable or Modify Tools T1562.001\r\nNetwork Traffic Filtering T1569.002\r\nImpact Network Denial of Service T1498\r\nhttps://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html\r\nPage 9 of 10\n\nEndpoint Denial of Service T1499\r\nIndicators of Compromise (IOCs)\r\nSHA256 Detection\r\n721af117726af1385c08cc6f49a801f3cf3f057d9fd26fcec2749455567888e7 HackTool.Win64.EDRSilencer.REDT\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html\r\nhttps://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html"
	],
	"report_names": [
		"edrsilencer-disrupting-endpoint-security-solutions.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439090,
	"ts_updated_at": 1775791318,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d70f44ec3a6333de3148bd216a4daac4993014e7.pdf",
		"text": "https://archive.orkl.eu/d70f44ec3a6333de3148bd216a4daac4993014e7.txt",
		"img": "https://archive.orkl.eu/d70f44ec3a6333de3148bd216a4daac4993014e7.jpg"
	}
}