EDRPrison leverages a legitimate WFP callout driver, WinDivert, to effectively silence EDR systems. Drawing inspiration from tools like Shutter, FireBlock, and EDRSilencer, this project focuses on network-based evasion techniques.
Unlike its predecessors, EDRPrison installs and loads an external legitimate WFP callout driver instead of relying solely on the built-in WFP.
Additionally, it blocks outbound traffic from EDR processes by dynamically adding runtime filters without directly interacting with the EDR processes or their executables.
In summary, EDRPrison has the following key features and capabilities
- Legitimate WFP Callout Driver: Utilizes a legitimate WFP callout driver to enhance capabilities while maintaining a benign profile.
- EDR Process Detection: Searches for running EDR processes based on predefined process names.
- Packet Identification: Identifies packets originating from EDR processes.
- Dynamic Filter Addition: Dynamically adds WFP filters based on the source process of the packets.
- Non-Intrusive Approach: Avoids direct interaction with EDR processes and their executables, ensuring stealth and reducing the risk of detection.
Please refer to the article for more technical.
Components
Elevated privileges are required to run EDRPrison successfully. EDRPrison comprises the following three components:
- EDRPrison: They are the main program and its dependencies. Its first execution installs the WinDivert driver.
- WinDivert64.sys: This is the signed WFP callout driver.
- WinDivert.dll: A component of the WinDivert project.
Benefits And Improvements
EDRPrison offers several enhancements and improvements over its predecessors, making it a more robust and stealthy tool for network-based EDR evasion:
- Instead of adding static WFP filters to EDR process executables, EDRPrison dynamically adds runtime WFP filters based on the packets’ source process.
- Avoids obtaining a handle to EDR processes or EDR executables, reducing the risk of detection and interference with the EDR systems.
- By loading a legitimate WFP callout driver, EDRPrison extends its capabilities while maintaining a benign profile.
Known Issues
- Currently, EDRPrison is written in C#, requiring multiple files to be present on disk, which compromises stealth. I plan to reimplement it in C++ to allow the main program to be executed entirely in memory, enhancing its stealth capabilities.
- There is a delay between the program’s execution and the initial blocking of some EDR processes’ network connections.
- This delay could permit telemetry to be sent to cloud servers within the first few seconds.
- I am working on resolving this issue to ensure immediate interception and blocking.
- This delay could permit telemetry to be sent to cloud servers within the first few seconds.
Test Example
Due to the resources available to me, I have tested EDRPrison against Elastic Endpoint and Microsoft Defender for Endpoint (MDE) on my physical server so far.
Relevant processes for Elastic Endpoint and MDE are hardcoded in the source code. During the tests, neither the main program nor WinDivert was detected by the security systems.
I tested a few common malware samples, such as Mimikatz. These samples can still be detected because, even without internet connectivity, EDR systems retain basic detection capabilities such as hash-based signatures.
After executing the malware, the number of packets increased, indicating that they contained alert data.
For more information click here.