EDR Telemetry Blocker via Person-in-the-Middle Network Filtering Attacks

EDR Telemetry Blocker

Blocks EDR Telemetry by performing Person-in-the-Middle attack where network filtering is applied using iptables. The blocked destination IP addresses are parsed based on the server name in the TLS Client Hello packet and the provided blocked server name (or blocked string) list in the file.

The Python Scapy library supports parsing TLS handshakes, including SNI, and it appears to offer better performance than iptables string matching, even though Scapy operates in user mode rather than kernel mode. The library cannot drop packets, so the idea is to parse the SNI in the Client Hello packets and check it against a wordlist. If a match is found, iptables is updated with a more efficient rule to drop packets based on their destination IP address. We tested Scapy running in asynchronous sniffing mode and observed no packet loss, even during 4K video streaming. When the tool is terminated, it flushes the iptables rules that were created.

Scapy can generate custom packets, including ARP Reply. Therefore, we could embed ARP spoofing functionality within the same code. The tool takes the target host IP address(es) and the gateway IP address, and sends spoofed ARP replies to the target(s) to impersonate the gateway and perform a PitM attack. When the tool is terminated, it sends correct ARP replies to the target to restore the poisoned ARP table.

Blocks EDR Telemetry

Some other functionalities are present, such as:

  • Ensure packet forwarding is enabled on the attacker machine, i.e. checks with sysctl -n net.ipv4.ip_forward
  • Monitor mode – it does not create an iptables rule when the SNI contains a blocked entry
  • Verbose mode – outputs all server name in Client Hello packets
  • Input file – it takes a file path of a file containing a wordlist to match against the server name of the SNI for a TLS handshake

Microsoft Defender for Endpoint or Windows initiates TLS handshakes regularly when communicating with the remote API. Based on our observations, we have created the following word list to be used to block server names:

  • events.data.microsoft.com
  • wd.microsoft.com
  • wdcpalt.microsoft.com
  • wdcp.microsoft.com
  • blob.core.windows.net
  • winatp-gw-cus
  • automatedirstrprdcus
  • endpoint.security.microsoft.com
  • smartscreen.microsoft.com

Blocking these TLS should not impact other Microsoft services, such as Teams, Outlook, or O365. But you should always test it before you use the tool. Any events or alerts that occur while the cloud servers are unreachable will be cached locally. However, the local cache is cleared upon reboot, resulting in a loss of visibility.

Download

Copyright (c) 2024, Tier Zero Security Ltd