EvilEDR: Repurposing EDR as an Offensive Tool

Endpoint Detection and Response (EDR) systems provide continuous monitoring, threat detection, and response capabilities. This has driven their widespread adoption in enterprises, making them a key part of an enterprise's security architecture. However, EDR systems are a double-edged sword, and in this study, we demonstrate how this class of systems can be employed for offensive use. Unlike prior studies that focused on evasion and tampering, we introduce the new concept of EDR repurposing, which we call EvilEDR. Our analysis shows that EvilEDR can be used to execute arbitrary commands via the response console, transfer tools, exfiltrate data, and passively collect system information to facilitate further exploitation and lateral movement. EvilEDR operates covertly, masquerading as a legitimate process and communicating seamlessly with trusted domains. Additionally, we show that EvilEDR can impair defenses by registering its own EPP as the default. It can also isolate the host from the network, severing telemetry and response channels essential for enterprise defense mechanisms. Fortunately, EvilEDR can be effectively detected and mitigated, and in this paper, we propose concrete and actionable defense strategies to achieve this.