October 11, 2024

EDR – Tampering by attackers

By venkat

Problem

  • EDR on all my server machines
  • EDR solutions tampered in nearly all ransomware and APT attacks (MITRE ID: T1562.001). 
  • The first steps attackers take to hide their actions.
  • One good example is the Spyboy EDR Killer
  • https://github.com/ZeroMemoryEx/Terminator
  • Living of the land binaries – https://www.loldrivers.io/
  • Develop rules for ransomware TTPs with your SIEM, based on relevant log sources, for example, to detect internal recon, discovery, lateral movement, data exfil or C2 traffic.

TODO – Playbook to respond to this alert when detected.