EDR Reloaded: Erase Data Remotely

Learn how attackers can exploit EDR products to delete legitimate files by injecting malicious signatures, bypassing authentication and impacting critical system data across Windows & Linux

Key takeaways
  • Researchers discovered ways to trigger EDR products to delete legitimate files by injecting malicious signatures remotely, without requiring authentication

  • Attack works by implanting malicious signatures into legitimate files (logs, databases, configurations) causing EDRs to falsely identify them as threats and delete them

  • Windows Defender and Kaspersky were particularly vulnerable, with attacks possible on both Windows and Linux systems even when fully patched

  • Key vulnerable targets include:

    • Web server logs (IIS, Nginx, Apache)
    • Database files (MySQL, PostgreSQL, SQLite, MongoDB)
    • Windows Event logs
    • Virtual machine configuration files
    • Browser history databases
    • Email client databases
  • Microsoft released two patches (CVE-2023-24880 and CVE-2023-36010) but researchers found ways to bypass both patches

  • Attack works through various vectors:

    • HTTP requests with malicious user agents
    • Database field injection
    • SMB login attempts
    • Email subject fields
    • FTP server logs
  • Research focused on finding minimal signatures that could trigger automatic deletion while avoiding detection limitations

  • Even central logging systems like Splunk could be compromised through a domino effect where infected logs trigger further deletions

  • Attack remains effective against many systems because:

    • Security patches were incomplete
    • Some vendors chose not to fix certain vectors
    • Many systems still use vulnerable legacy components
  • Impacts can be severe - deleted files often cannot be restored from backup as EDRs will detect and delete them again