A growing trend: This EDR abuse represents an evolution of legitimate tool exploitation that security teams are seeing across the threat landscape. The 2024 CrowdStrike Threat Hunting Report documented a 70% year-over-year increase in remote monitoring and management tool abuse, with RMM tool exploitation accounting for 27 percent of all hands-on-keyboard intrusions.The research was sparked by observations from a security researcher known as BushidoToken, who posted on X about threat actors actively abusing certain EDR products and questioned whether this should become a MITRE ATT&CK subcategory. The real-world intelligence suggests the technique is already being exploited beyond laboratory settings.”These tools are legitimate, trusted, have a valid certificate, and as such, are far less likely to be detected,” the researchers noted, explaining the fundamental challenge facing defenders.
Detection challenges: The attack presents unique challenges for security teams because traditional detection methods may fail. The attacking software carries valid digital certificates and is recognized as legitimate security software, making it difficult to distinguish from authorized installations.”No obvious malicious activity is generated during the disabling process, and systems appear to simply go offline rather than showing clear signs of compromise,” the researchers added.This creates a dangerous blind spot for security operations centers that rely on endpoint telemetry to monitor their environments. When an EDR agent stops reporting, it could indicate a system shutdown, network connectivity issue, or this new form of attack.Woods and Manrod provided recommendations for organizations looking to defend against this attack vector. They suggested deploying application control solutions to block unauthorized security software installations and implementing custom “Indicators of Attack” to detect suspicious EDR installations. Application-aware firewalls and secure web gateways can help block access to unauthorized security vendor portals, they added.The researchers provided detailed instructions for security teams to test this attack vector in their own environments, emphasizing the importance of understanding how these attacks appear in organizational security telemetry. They recommend conducting controlled tests using isolated systems, monitoring for detection gaps in existing security tools, and analyzing attack timelines and indicators.”Finally, please try this at home. Test, hunt, and analyze how these vectors look in your environment and use this testing as your guide,” the researchers urged security teams.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4032009/edr-on-edr-violence-hackers-turn-security-tools-against-each-other.html
