This discovery emerged from their ongoing research into the abuse of Remote Management and Monitoring (RMM) tools and represents a significant evolution in defense evasion tactics.
The research team’s investigation revealed that attackers can obtain free trials of legitimate EDR solutions and use them to disable competing security products already installed on target systems systematically.
During testing at BSides Albuquerque, the researchers successfully demonstrated that Cisco Secure Endpoint (AMP) could be installed and configured to disable both CrowdStrike Falcon and Elastic Defend without generating detectable alerts or telemetry, aside from the host appearing offline.
The attack methodology involves several critical steps requiring local administrator privileges. Attackers first register for free EDR trials, download the legitimate agent software, and install it on compromised systems.
They then navigate to the management console, remove all exclusions from the security policy, and identify the SHA256 hash of the existing EDR process they wish to target.
Finally, they add this hash to the “Blocked Application List” in the Outbreak Control settings, effectively weaponizing one security tool against another.
The technical implementation exploits fundamental trust relationships between security products and their management infrastructure.
As Manrod notes in his research, “EDR/AV products can be used to disable or blind existing tools, remotely manage devices, or in one case we found — even full disk encryption (ESET)”.
The attack proves particularly effective because it can bypass tamper protection mechanisms that typically prevent unauthorized modification or removal of security software.
This discovery aligns with broader industry trends showing increased abuse of legitimate administrative tools by threat actors.
The 2024 CrowdStrike Threat Hunting Report indicated a 70% year-over-year increase in RMM tool abuse, while Arctic Wolf reported these tools appeared in 36% of their investigated cases.
Cofense analysis revealed ConnectWise ScreenConnect featured in 56% of observed RMM abuse scenarios, highlighting the growing preference for “living off the land” techniques.
The appeal of such legitimate tools lies in their inherent trustworthiness – they possess valid digital certificates, maintain a reputation with security vendors, and operate within expected administrative frameworks.
This makes detection significantly more challenging compared to traditional malware or suspicious executables that typically trigger security alerts.
Researchers emphasize the attack requires initial system compromise and privilege escalation, positioning it within the MITRE ATT&CK framework after initial access but before tool deployment phases.
The technique’s effectiveness stems from its ability to disable security protections even when advanced tamper protection features are enabled, representing a lower-complexity approach compared to traditional methods like Bring Your Own Vulnerable Driver (BYOVD) attacks or DLL-unhooking techniques.
Security experts recommend implementing multiple defensive layers to combat BYOEDR attacks.
Application control policies should explicitly block unauthorized EDR and RMM installations, while custom Indicators of Attack (IOAs) can detect unusual security software deployment patterns.
Network-level protections through application-aware firewalls and Secure Web Gateways (SWGs) can prevent unauthorized downloads of security tools not approved for enterprise use.
The research team advocates for fundamental security hygiene improvements, including proper network segmentation, comprehensive host and Active Directory hardening, consistent patching protocols, and implementation of Local Administrator Password Solution (LAPS) to limit local admin exposure.
These measures collectively reduce the attack surface and make initial compromise more difficult.
Industry vendors must address this vulnerability through enhanced validation processes for free trial registrations and improved detection of competing security products during installation.
The researchers specifically recommend preventing agent hijacking scenarios where new installations from different tenants can assume control of existing security agents, particularly highlighting issues identified with ESET’s implementation.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Hackers Exploit EDR Free Trials to Bypass Protection and Disable Security Features appeared first on Cyber Security News.
Cybercriminals have found a new way to target developers and IT professionals by setting up…
A cybercriminal group known as Funnull — previously sanctioned by the U.S. Treasury — has…
A coordinated campaign targeting cryptocurrency organizations has drawn attention from the security community, with evidence…
Nothing has officially debuted the Nothing Phone 4a Pro and its new over-ear Nothing Headphone…
Department of Homeland Security Secretary Kristi Noem at a Nashville press conference on July 18,…
If you're having issues shopping on Amazon or loading your playlists on Amazon Music, you're…
This website uses cookies.