This creates a dangerous blind spot for security operations centers that rely on endpoint telemetry to monitor their environments. When an EDR agent stops reporting, it could indicate a system shutdown, network connectivity issue, or this new form of attack.
Woods and Manrod provided recommendations for organizations looking to defend against this attack vector. They suggested deploying application control solutions to block unauthorized security software installations and implementing custom “Indicators of Attack” to detect suspicious EDR installations. Application-aware firewalls and secure web gateways can help block access to unauthorized security vendor portals, they added.
The researchers provided detailed instructions for security teams to test this attack vector in their own environments, emphasizing the importance of understanding how these attacks appear in organizational security telemetry. They recommend conducting controlled tests using isolated systems, monitoring for detection gaps in existing security tools, and analyzing attack timelines and indicators.
