We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
EDR Reloaded: Erase Data Remotely
Learn how attackers can exploit EDR products to delete legitimate files by injecting malicious signatures, bypassing authentication and impacting critical system data across Windows & Linux
-
Researchers discovered ways to trigger EDR products to delete legitimate files by injecting malicious signatures remotely, without requiring authentication
-
Attack works by implanting malicious signatures into legitimate files (logs, databases, configurations) causing EDRs to falsely identify them as threats and delete them
-
Windows Defender and Kaspersky were particularly vulnerable, with attacks possible on both Windows and Linux systems even when fully patched
-
Key vulnerable targets include:
- Web server logs (IIS, Nginx, Apache)
- Database files (MySQL, PostgreSQL, SQLite, MongoDB)
- Windows Event logs
- Virtual machine configuration files
- Browser history databases
- Email client databases
-
Microsoft released two patches (CVE-2023-24880 and CVE-2023-36010) but researchers found ways to bypass both patches
-
Attack works through various vectors:
- HTTP requests with malicious user agents
- Database field injection
- SMB login attempts
- Email subject fields
- FTP server logs
-
Research focused on finding minimal signatures that could trigger automatic deletion while avoiding detection limitations
-
Even central logging systems like Splunk could be compromised through a domino effect where infected logs trigger further deletions
-
Attack remains effective against many systems because:
- Security patches were incomplete
- Some vendors chose not to fix certain vectors
- Many systems still use vulnerable legacy components
-
Impacts can be severe - deleted files often cannot be restored from backup as EDRs will detect and delete them again