attack process or infographics on EDR software

A new attack technique has emerged where cybercriminals exploit free trials of Endpoint Detection and Response (EDR) software to disable existing security measures on compromised systems. This method, known as BYOEDR (Bring Your Own EDR), represents a troubling evolution in defense evasion tactics, using legitimate security tools against themselves.

attack process or infographics on EDR softwareattack process or infographics on EDR software

Exploiting EDR Trial Programs

Researchers Mike Manrod and Ezra Woods discovered that threat actors can obtain free trials of EDR products to neutralize competing security solutions already in place. In their tests, they demonstrated how Cisco Secure Endpoint (AMP) could be installed to disable both CrowdStrike Falcon and Elastic Defend without triggering alerts.

attack process or infographics on EDR softwareattack process or infographics on EDR software

The process involves several steps:

attackers gain local administrator privileges, register for free EDR trials, download the agent installer, and deploy it on the target system. They then access the EDR console to remove exclusions from the “Protect” policy for Windows and add the target EDR process's SHA256 hash to the “Blocked Application List.”