Intel Name: Ta phone home: edr evasion testing reveals extortion actor’s toolkit
Date of Scan: November 13, 2024
Impact: High
Summary: This article examines an incident in which a threat actor attempted, unsuccessfully, to bypass Cortex XDR. Our investigation offered insight into the threat actor’s methods, revealing that they had purchased access to the client’s network via Atera RMM from an initial access broker. The attacker set up rogue systems to install the Cortex XDR agent on a virtual machine, testing a new AV/EDR bypass tool that exploited the “bring your own vulnerable driver” (BYOVD) technique.