EDR Exposed: Security Tools Turned into Weapons

Shmuel Cohen, a specialist at SafeBreach, demonstrated that EDR (Endpoint Detection and Response) solutions can be utilized as tools for conducting attacks. In his research, Cohen analyzed an EDR system, identifying vulnerabilities that could potentially allow hackers to misuse such tools to inflict harm.

EDR systems, which operate with elevated privileges, are designed to protect devices from various threats, including malware. However, if compromised, these systems could provide attackers with persistent and covert access to the victims’ devices.

Cohen discovered that the behavior of the examined EDR system allowed bypassing file modification protection, enabling the execution of ransomware and even the loading of a vulnerable driver to prevent the EDR’s removal using an administrator’s password.

Furthermore, the researcher found a method to inject malicious code into one of the EDR processes, which would allow code execution with high privileges while remaining undetected. Cohen also exploited the ability to modify Lua and Python files, facilitating the execution of malicious code and gaining access to the machine with the highest system privileges.

Using a vulnerable driver, Cohen was able to read and write to the system kernel, enabling him to alter the password verification in the EDR management, allowing any password to be used, or even blocking the software’s removal if it was disconnected from the management server.

This study highlights that attacks on EDR solutions can provide cybercriminals with powerful capabilities that are likely to go unnoticed. Cohen notes that security products must rigorously protect the logic of detection processes, encrypt, and digitally sign content files to prevent their alteration. Additionally, processes should be added to allowlists or blocklists based on multiple parameters that should not be alterable by an attacker.

Palo Alto Networks responded to Cohen’s findings by updating their protective mechanisms and advising users to ensure their systems are up to date. Cohen shared his research with the public to raise awareness about such threats and strengthen security measures in organizations.