in Uncategorized

‘EDR-on-EDR Violence’: Hackers turn security tools against each other

on Share

Cybersecurity researchers have uncovered a troubling new attack vector where threat actors are weaponizing free trials of endpoint detection and response (EDR) software to disable existing security tools — a phenomenon they’ve dubbed “EDR-on-EDR violence.”

Security researchers Ezra Woods and Mike Manrod have documented a phenomenon where attackers use one security product to systematically disable another. Their findings, published in a Medium post, demonstrate how easily cybercriminals can turn the trust placed in legitimate security software against enterprise defenders.

“It turns out that one of the ways to disable EDR is with a free trial of EDR,” the researchers wrote, highlighting the ironic nature of this emerging attack vector.

The technique exploits a fundamental assumption in cybersecurity: that legitimate security tools can be trusted. According to the researchers, attackers sign up for free trials of EDR products, install them on compromised systems with local administrator privileges, and then configure the attacker-controlled security software to block existing protection tools.

In their testing, Woods and Manrod found that Cisco Secure Endpoint could successfully disable both CrowdStrike Falcon and Elastic Defend without generating alerts or telemetry from the targeted systems. The compromised endpoints simply appeared to go offline, providing no indication to security teams that their protection had been deliberately sabotaged.

“This is accomplished by removing exclusions and then adding the hash of the existing AV/EDR as a blocked application,” the researchers explained in their analysis of the attack methodology.

More than simple sabotage

The research uncovered capabilities that extend far beyond basic EDR disruption. In at least one case involving ESET, the researchers discovered they could install an attacker-controlled instance that hijacked control from the legitimate installation. Some EDR products also include remote management features similar to those found in remote monitoring and management tools, opening additional attack vectors, including command shell access.

“Some EDR products have RMM-like features, with a wide range of abuse potential,” Woods and Manrod noted, warning that in extreme cases involving ESET, they found the ability to control full disk encryption through the compromised interface.

The attack bypasses tamper protection features that are specifically designed to prevent unauthorized modifications to security tools.

“What makes this vector interesting is that it can disable at least some products, even if tamper protection is enabled,” the researchers explained, noting that while the attack requires local administrator privileges, it represents a lower-complexity approach compared to traditional EDR evasion techniques like Bring Your Own Vulnerable Driver (BYOVD) attacks or DLL-unhooking.

A growing trend

This EDR abuse represents an evolution of legitimate tool exploitation that security teams are seeing across the threat landscape. The 2024 CrowdStrike Threat Hunting Report documented a 70% year-over-year increase in remote monitoring and management tool abuse, with RMM tool exploitation accounting for 27 percent of all hands-on-keyboard intrusions.

The research was sparked by observations from a security researcher known as BushidoToken, who posted on X about threat actors actively abusing certain EDR products and questioned whether this should become a MITRE ATT&CK subcategory. The real-world intelligence suggests the technique is already being exploited beyond laboratory settings.

“These tools are legitimate, trusted, have a valid certificate — and as such, are far less likely to be detected,” the researchers noted, explaining the fundamental challenge facing defenders.

Detection challenges

The attack presents unique challenges for security teams because traditional detection methods may fail. The attacking software carries valid digital certificates and is recognized as legitimate security software, making it difficult to distinguish from authorized installations.

“No obvious malicious activity is generated during the disabling process, and systems appear to simply go offline rather than showing clear signs of compromise,” the researchers added.

This creates a dangerous blind spot for security operations centers that rely on endpoint telemetry to monitor their environments. When an EDR agent stops reporting, it could indicate a system shutdown, network connectivity issue, or this new form of attack.

Woods and Manrod provided recommendations for organizations looking to defend against this attack vector. They suggested deploying application control solutions to block unauthorized security software installations and implementing custom “Indicators of Attack” to detect suspicious EDR installations. Application-aware firewalls and secure web gateways can help block access to unauthorized security vendor portals, they added.

The researchers provided detailed instructions for security teams to test this attack vector in their own environments, emphasizing the importance of understanding how these attacks appear in organizational security telemetry. They recommend conducting controlled tests using isolated systems, monitoring for detection gaps in existing security tools, and analyzing attack timelines and indicators.

“Finally, please try this at home. Test, hunt, and analyze how these vectors look in your environment and use this testing as your guide,” the researchers urged security teams.

You May Also Like

Uncategorized

Remotely Backup Security Camera Video with VMS CCTV Software

View Post
Uncategorized

UK proposal would forbid ransom payments by gov’t agencies, but will it meaningfully decrease ransomware attacks?

View Post
Uncategorized

Beyond CVE: The hunt for other sources of vulnerability intel

View Post