Detection Opportunities — EDR Silencer, EDRSandblast, Kill AV…

Summary:
This article discusses the ongoing use of EDR tools by ransomware groups, particularly focusing on the Conti affiliate ecosystem and the prevalent MITRE ATT&CK technique T1562.001, which involves disabling or modifying security tools. The research highlights various tools and methods employed by these groups, along with detection opportunities and vulnerabilities that can be exploited.
#RansomwareDetection #EDRTools #ContiAffiliates

Keypoints:

Ransomware groups continue to utilize EDR tools like EDRSandBlast and EDRSilencer.

The MITRE ATT&CK technique T1562.001 is the most common among the top 20 ransomware groups.

Conti affiliates have been active since March 2022 and are involved in various rebranded groups.

Research indicates multiple ways to disable or modify security solutions.

Detection opportunities include monitoring Windows events and specific command executions.

Tools like Terminator exploit vulnerabilities in security software to disable them.

Several hashes and file names are associated with malicious activities and tools used by these groups.

MITRE Techniques

Impair Defenses: Disable or Modify Tools (T1562.001): Ransomware groups disable or modify security tools to evade detection.

IoC:

[IP Address] 172.64.149.23

[File Name] EDRSilencer.exe

[File Hash] 721af117726af1385c08cc6f49a801f3cf3f057d9fd26fcec2749455567888e7

[File Name] DisablerNew.exe

[File Hash] d5a1f90dc5c9717b3f900c91a6cdccc20e56e6f1d20f24170189260e8dde7608

[File Name] trevor

[File Hash] 8dff18f10c857dd3eeb5511f5724da0ab1d9e411044aea27f6de23ee33f798c8

[File Name] WNBIOS.sys

[File Hash] 6106D1CE671B92D522144FCD3BC01276A975FE5D5B0FDE09CA1CCA16D09B7143

Full Research: https://detect.fyi/detection-opportunities-edr-silencer-edrsandblast-kill-av-d882c290a393

Tags: EDR, WINDOWS, EXPLOIT