EDR Reloaded: Erase Data Remotely

Researchers discovered ways to trigger EDR products to delete legitimate files by injecting malicious signatures remotely, without requiring authentication

Attack works by implanting malicious signatures into legitimate files (logs, databases, configurations) causing EDRs to falsely identify them as threats and delete them

Windows Defender and Kaspersky were particularly vulnerable, with attacks possible on both Windows and Linux systems even when fully patched

Key vulnerable targets include:

• Web server logs (IIS, Nginx, Apache)
• Database files (MySQL, PostgreSQL, SQLite, MongoDB)
• Windows Event logs
• Virtual machine configuration files
• Browser history databases
• Email client databases

Microsoft released two patches (CVE-2023-24880 and CVE-2023-36010) but researchers found ways to bypass both patches

Attack works through various vectors:

• HTTP requests with malicious user agents
• Database field injection
• SMB login attempts
• Email subject fields
• FTP server logs

Research focused on finding minimal signatures that could trigger automatic deletion while avoiding detection limitations

Even central logging systems like Splunk could be compromised through a domino effect where infected logs trigger further deletions

Attack remains effective against many systems because:

• Security patches were incomplete
• Some vendors chose not to fix certain vectors
• Many systems still use vulnerable legacy components

Impacts can be severe - deleted files often cannot be restored from backup as EDRs will detect and delete them again