Defending EDR Against Adversaries

What Happened

Hackers are actively finding ways to turn off or blind security software like antivirus on computers. They do this by blocking the software from sending alerts, secretly uninstalling it, or using outdated, vulnerable computer drivers to force the security programs to close. This allows the attackers to move around the network and launch attacks like ransomware without being detected. Organizations should ensure their security tools have tamper protection enabled and monitor for unusual changes to system settings.

Key Takeaways

• Threat actors actively disable AV and EDR tools to create a 'dark zone' for lateral movement and ransomware deployment.
• Attackers abuse Windows Firewall rules (directly or via WFP) to block EDR telemetry using tools like EDRSandblast and EDRSilencer.
• Bring Your Own Vulnerable Driver (BYOVD) is a primary method for gaining kernel-mode access to terminate protected security processes.
• Adversaries frequently manipulate Microsoft Defender by adding broad exclusions for specific paths and file extensions.
• Legitimate tools like GlassWire and rogue RMMs are leveraged to uninstall or block security agents.

Affected Systems

• Windows
• Microsoft Defender Antivirus
• Endpoint Detection and Response (EDR) solutions

Attack Chain

Attackers gain initial access, sometimes via compromised credentials or malvertising leading to malicious MSI downloads. Once on the endpoint, they escalate privileges to execute defense evasion techniques. They deploy rogue RMMs, manipulate Windows Firewall rules, or use BYOVD (Bring Your Own Vulnerable Driver) attacks to terminate or blind EDR and AV processes. With defenses neutralized, the attackers establish persistence and proceed with their primary objectives, such as lateral movement or ransomware deployment.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide explicit detection rules, but highlights behavioral patterns such as unusual firewall rule creation, Defender exclusion modifications, and vulnerable driver loads that can be monitored via EDR.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions with tamper protection and driver load monitoring are well-positioned to detect BYOVD and unauthorized uninstallation attempts. Network Visibility: Low — The techniques described are primarily host-based (driver loading, registry modifications, local firewall rules). Detection Difficulty: Moderate — Detecting BYOVD requires maintaining an up-to-date blocklist of vulnerable drivers. Detecting firewall/exclusion changes is easier but can be prone to false positives from legitimate admin activity.

Required Log Sources

• Windows Event Logs (Security, System)
• Microsoft-Windows-Windows Defender/Operational
• Sysmon Event ID 1 (Process Creation)
• Sysmon Event ID 6 (Driver Loaded)
• Sysmon Event ID 12/13/14 (Registry Event)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Attackers are adding broad exclusions to Microsoft Defender to hide malicious activity.	PowerShell execution logs (Event ID 4104) or Registry modifications targeting HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions.	Defense Evasion	Medium
Threat actors are loading known vulnerable drivers to terminate security processes.	Driver load events (Sysmon Event ID 6) checking hashes against known vulnerable driver lists (e.g., LOLDrivers).	Defense Evasion	Low

Control Gaps

• Lack of EDR Tamper Protection
• Permissive Driver Signature Enforcement allowing legacy vulnerable drivers

Key Behavioral Indicators

• PowerShell commands containing 'Add-MpPreference' or 'Set-MpPreference'
• Unexpected creation of Windows Firewall rules blocking EDR executables
• Execution of msiexec.exe from user download directories

False Positive Assessment

• Medium

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider reviewing current Microsoft Defender exclusions for overly broad paths (e.g., C:\Windows) or extensions.
• Evaluate whether EDR tamper protection is enabled and configured to prevent unauthorized uninstallation.

Infrastructure Hardening

• Consider implementing Microsoft's Vulnerable Driver Blocklist to prevent known vulnerable drivers from loading.
• Evaluate restricting administrative privileges to prevent unauthorized software installation and firewall modifications.

User Protection

• If supported by your tooling, consider blocking the execution of MSI files from user profile directories like Downloads.

Security Awareness

• Consider training IT staff on the risks of using rogue RMM tools and the importance of verifying software sources.

MITRE ATT&CK Mapping

• T1562.001 - Impair Defenses: Disable or Modify Tools
• T1562.004 - Impair Defenses: Disable or Modify System Firewall
• T1068 - Exploitation for Privilege Escalation
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1218.007 - System Binary Proxy Execution: Msiexec

Additional IOCs

• Registry Keys:
  • HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\.dll - Registry key modified by attackers to add a Defender exclusion for DLL files.
• File Paths:
  • \Device\HarddiskVolume3\Windows\System32\drivers\TrueSight.sys - Path where the vulnerable TrueSight driver was loaded.
  • C:\Users\mig.rdp.exe - Path to the Trojan:BAT/AVKill!rfn executable.
• Command Lines:
  • Purpose: Add Microsoft Defender exclusions for web server directories | Tools: powershell.exe | Stage: Defense Evasion
  • Purpose: Add broad Microsoft Defender exclusions for the C: drive | Tools: powershell.exe | Stage: Defense Evasion | Set-MpPreference -ExclusionPath C:\Windows
  • Purpose: Install rogue RMM via malicious MSI | Tools: msiexec.exe | Stage: Execution | msiexec.exe /i
  • Purpose: Silent uninstallation of the Huntress EDR agent | Tools: cmd.exe, uninstall.exe | Stage: Defense Evasion | Uninstall.exe" /S