October 11, 2024
EDR – Tampering by attackers
Problem
- EDR on all my server machines
- EDR solutions tampered in nearly all ransomware and APT attacks (MITRE ID: T1562.001).
- The first steps attackers take to hide their actions.
- One good example is the Spyboy EDR Killer
- https://github.com/ZeroMemoryEx/Terminator
- Living of the land binaries – https://www.loldrivers.io/
- Develop rules for ransomware TTPs with your SIEM, based on relevant log sources, for example, to detect internal recon, discovery, lateral movement, data exfil or C2 traffic.
- https://detect.fyi/edr-your-weakest-link-in-protecting-against-a-ransomware-attack-14a8cd1ae389
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
TODO – Playbook to respond to this alert when detected.