research poc
Detection Opportunities for EDR Silencer and EDRSandblast Tools Used by Ransomware GroupsEDR Silencer and EDRSandblast
This article details detection strategies for two tools, EDR Silencer and EDRSandblast, which are actively used by ransomware groups to disable or modify endpoint security solutions. EDR Silencer uses Windows Filtering Platform (WFP) to block EDR communications, while EDRSandblast exploits vulnerable drivers to remove kernel callbacks from security products. The research highlights that T1562.001 (Disable or Modify Tools) is the most prevalent technique among top ransomware groups.