Inspired by EDRSilencer which was inspired by the closed source tool FireBlock from MDSec NightHawk, I decided to explore ways to sever EDR comms. I found two techniques which are not reliable by any means across Operating Systems, or EDRs but were so simple I thought I’d talk about them. I’m not naming names on which EDRs these techniques worked on.

Disclaimer: My specialty is in Application & Cloud Security so this is an area I’m a total noob in.

1. Bring Your Own Firewall (BYOFW)

The idea with this technique is to set the system proxy, which can be set with user-level privileges, to a local HTTP CONNECT tunnel server where you can filter out the traffic back to the EDR server. I won’t go into the details of HTTP CONNECT but this CloudFlare blog is a good read if you want to learn more “A Primer on Proxies”.

In the age of AI, writing a working HTTP CONNECT server was as easy as knowing how to prompt the model. I have a working piece of C# code that sets the proxy, starts a listener, and filters out traffic to some hardcoded domains here DONTCONNECT

2. hosts

Yup. /etc/hosts. Same concept but requires admin privileges. Enter in an /etc/hosts entry for the EDR server to some blackhole address like localhost and soon enough your agent will be offline.

To quote the MDSec article, “At this point the operator has the freedom to operate without the concern of being detected.”. I’m sure there’s way more areas of research here with DNS poisoning, or some other clever tricks.

The end.