Cybersecurity researchers have identified a novel attack method where cybercriminals leverage free trials of Endpoint Detection and Response (EDR) software to deactivate existing security measures on compromised systems. This technique, termed Bring Your Own EDR (BYOEDR), signifies a troubling advancement in defense evasion strategies, utilizing legitimate security tools against themselves.
Understanding the BYOEDR Attack Methodology
The BYOEDR approach was first detailed by researchers Mike Manrod and Ezra Woods. They discovered that attackers can register for free trials of EDR products and deploy them to neutralize other security solutions already present on target systems. In their experiments, they demonstrated how Cisco Secure Endpoint (AMP) could be installed and configured to disable both CrowdStrike Falcon and Elastic Defend without triggering alerts or generating telemetry, aside from the host appearing offline.
The technical process involves several critical steps:
1. Obtaining Local Administrator Privileges: Attackers first gain administrative access to the target system.
2. Registering for Free EDR Trials: They sign up for free trials of EDR software, such as Cisco Secure Endpoint.
3. Deploying the EDR Agent: The attacker downloads and installs the EDR agent on the compromised system.
4. Modifying EDR Policies: Within the EDR management console, the attacker navigates to the Protect policy for Windows and removes all exclusions from the Exclusions tab.
5. Blocking Existing Security Applications: The attacker identifies the SHA256 hash of the target EDR process and adds it to the Blocked Application List through the Outbreak Control > Blocked Application interface.
This method is particularly dangerous because it can bypass tamper protection mechanisms designed to prevent unauthorized modifications to security software. Unlike more complex evasion techniques, such as Bring Your Own Vulnerable Driver (BYOVD) or DLL-unhooking, BYOEDR offers a lower complexity approach while maintaining high effectiveness.
The Broader Context of EDR Exploitation
The emergence of BYOEDR aligns with a broader trend of attackers exploiting legitimate tools for malicious purposes. For instance, ransomware groups have been known to use EDR killers to disable endpoint protection systems. In some cases, these EDR killers are not even malware but legitimate software tools repurposed by cybercriminals. This tactic allows attackers to evade detection, as the tools they use are recognized as legitimate and trusted by security systems.
Furthermore, the increasing abuse of Remote Monitoring and Management (RMM) tools has been documented, with a 70% year-over-year increase in such activities reported in 2024. The legitimacy of these tools makes them particularly effective for malicious purposes, as they possess valid certificates and trusted status that reduces the likelihood of detection.
Mitigation Strategies
To defend against BYOEDR and similar attack vectors, organizations should consider implementing the following measures:
1. Application Control Measures: Restrict the installation of unauthorized software by implementing strict application control policies.
2. Custom Indicators of Attack (IOAs): Develop and deploy custom IOAs to detect suspicious activities related to EDR installations and configurations.
3. Application-Aware Firewalls: Utilize firewalls capable of recognizing and blocking unauthorized EDR and RMM installations.
4. Fundamental Security Practices: Maintain proper network segmentation, harden host systems, apply regular patches, and limit local administrator privileges to reduce the attack surface.
Additionally, EDR vendors are encouraged to strengthen validation processes for free trials and implement safeguards to prevent agent hijacking between different tenants of the same product.
Conclusion
The BYOEDR technique underscores the evolving nature of cyber threats, where attackers increasingly exploit legitimate tools to achieve their objectives. Organizations must remain vigilant and adapt their security strategies to address these sophisticated attack methods, ensuring that their defenses are robust against both traditional and emerging threats.
