Hackers Exploit EDR Free Trials to Bypass Protection Systems

Cybersecurity researchers have uncovered a concerning new attack vector dubbed “BYOEDR” (Bring Your Own EDR) where threat actors are exploiting free trials of Endpoint Detection and Response (EDR) tools to disable legitimate security protections on target systems.

This innovative approach represents a significant evolution in EDR evasion techniques, allowing attackers to use one security product to neutralize another without generating typical alerts.

The research, conducted by cybersecurity experts Ezra Woods and Mike Manrod at BSides Albuquerque, demonstrates how attackers can leverage free EDR trials to circumvent existing security measures.

The technique was first brought to attention by security researcher BushidoToken, who coined the term BYOEDR and alerted the community that threat actors were actively abusing EDR products in the wild.

In their testing, the researchers found that Cisco Secure Endpoint (AMP) could be installed via free trial and used to disable both CrowdStrike Falcon and Elastic Defend without generating any alerting or telemetry, aside from the host going offline.

The attack is accomplished by removing exclusions from the attacker-controlled EDR instance and then adding the hash of the existing security software as a blocked application.

What makes this technique particularly dangerous is that it can bypass tamper protection mechanisms that are typically enabled on production EDR deployments.

Unlike traditional EDR evasion methods that rely on vulnerable drivers (BYOVD) or DLL-unhooking techniques, this approach uses legitimate, signed security software that is inherently trusted by the system.

Rising Security Tool Abuse

This discovery fits into a larger trend of attackers weaponizing legitimate administrative tools for malicious purposes. Key developments include:

• RMM Tool Abuse Surge: According to the 2024 CrowdStrike Threat Hunting Report, remote monitoring and management (RMM) tool abuse has increased by 70% year-over-year, with RMM exploitation accounting for 27% of all hands-on-keyboard intrusions.
  
• Threat Actor Adoption: Threat actors including CHEF SPIDER (eCrime) and STATIC KITTEN (Iran-nexus) are increasingly using legitimate tools like ConnectWise ScreenConnect for endpoint exploitation.
  
• Industry-Wide Impact: Arctic Wolf reported that RMM tools were involved in 36% of their investigated cases, while Cofense found ConnectWise ScreenConnect in 56% of observed RMM abuse scenarios.
  
• EDR Weaponization: Researchers have documented the abuse of EDR and antivirus products themselves, with techniques like the “Aikido” wiper that can trick security products into deleting critical system files.
  
• Advanced Evasion Tools: Recent investigations have uncovered threat actors using tools like “disabler.exe” based on the EDRSandBlast framework to bypass various EDR agents.

Technical Implementation

According to Report,BYOEDR attack requires local administrator access on the target system, positioning it after initial access and privilege escalation phases of an attack.

The researchers provided detailed reproduction steps, which involve registering for a free Cisco AMP trial, installing the agent on the target machine, removing all exclusions from the policy, identifying the SHA256 hash of the target EDR process, and adding it to the blocked applications list.

The technique can take anywhere from 15 minutes to an hour to propagate to the endpoint, depending on the EDR’s update cycle.

For at least one vendor (ESET), researchers found it was possible to install an attacker-controlled instance and hijack the agent away from an existing legitimate installation.

To defend against these attacks, security professionals recommend implementing application control measures, custom Indicators of Attack (IOAs), and application-aware firewalls to block unauthorized RMM/AV/EDR tools.

Organizations should also focus on proper network segmentation, host and Active Directory hardening, regular patching, and limiting local administrator privileges through tools like LAPS (Local Administrator Password Solution).

The research underscores that simply running an EDR agent is not sufficient protection if adversaries can exploit the security tools themselves.

As threat actors continue to evolve their tactics, defenders must adopt a more comprehensive security posture that assumes security tools may be compromised and plan accordingly for such scenarios.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.