A sophisticated attack technique has emerged in which cybercriminals exploit free trials of Endpoint Detection and Response (EDR) software to disable existing security protections on compromised systems.
Known as BYOEDR (Bring Your Own EDR), this method marks a troubling advancement in defense evasion tactics, where legitimate security tools are turned into weapons against the very systems they are meant to protect.
Exploit EDR Trial Programs
The attack technique was initially discovered by researchers Mike Manrod and Ezra Woods, who found that threat actors can leverage free trials of EDR products to disable or interfere with existing security solutions already installed on compromised systems.
During their testing, the researchers demonstrated that Cisco Secure Endpoint (formerly AMP) could be installed and configured in a way that successfully disabled both CrowdStrike Falcon and Elastic Defend. This process did not trigger any alerts or generate notable telemetry, aside from the affected host appearing to go offline.
According to researchers Mike Manrod and Ezra Woods, this technique hinges on exploiting the administrative capabilities of EDR platforms. Once attackers gain local administrator privileges, they register for free trials of EDR solutions, download the agent installers, and deploy them on the compromised system.
From there, they access the Management > Policies section in the EDR console, modify the “Protect” policy for Windows, and remove all entries from the Exclusions tab. In the final step, they identify the SHA256 hash of the target EDR process and add it to the Blocked Application List using the Outbreak Control > Blocked Application interface.
What makes this approach especially dangerous is its ability to bypass tamper protection features that normally safeguard against unauthorized changes to security software. Compared to more technically complex evasion tactics like BYOVD (Bring Your Own Vulnerable Driver) or DLL-unhooking, BYOEDR is significantly simpler to execute while still achieving highly effective results.
Mitigations
This attack technique surfaces amid a broader trend of escalating abuse of Remote Management and Monitoring (RMM) tools, with the 2024 CrowdStrike Threat Hunting Report reporting a 70% year-over-year increase in such activity.
EDR tools are particularly attractive for malicious use due to their legitimacy—bearing valid digital certificates and enjoying trusted status within most environments, which significantly lowers the chances of detection.
To defend against these threats, security experts advise deploying application control policies, custom Indicators of Attack (IOAs), and application-aware firewalls to prevent unauthorized installations of RMM and EDR software.
In addition, core security hygiene remains essential. This includes network segmentation, system hardening, timely patch management, and restricting local administrator privileges.
The research team has also urged EDR vendors to improve the vetting of free trial registrations and introduce technical controls that prevent agent hijacking or misuse across different customer environments using the same product.
Leave A Comment