In the ever-evolving world of cybersecurity, a new and alarming tactic has come to light where attackers are turning the very tools designed to protect systems into weapons. A sophisticated attack technique was uncovered where cybercriminals exploit free trials of Endpoint Detection and Response (EDR) software to disable existing security protections on compromised systems. This method, dubbed “BYOEDR” (Bring Your Own EDR), marks a significant evolution in defense evasion tactics.
The discovery, made by security researchers Mike Manrod and Ezra Woods, reveals how threat actors can obtain legitimate free trials of EDR solutions and use them to systematically neutralize competing security products already installed on target systems. Their research demonstrated that Cisco Secure Endpoint (AMP) could be successfully installed and configured to disable both CrowdStrike Falcon and Elastic Defend without triggering alerts or generating telemetry beyond the host appearing offline.
The attack methodology requires the attacker to have already gained local administrator privileges on the target system. The process involves several critical steps. Attackers register for free EDR trials, download the agent installer, and deploy it on the target system. They then navigate to the new EDR's management console, remove all existing exclusions from the security policy, and identify the SHA256 hash of the existing EDR process they wish to target. Finally, they add this hash to the “Blocked Application List,” effectively turning one security tool into a weapon against another.
What makes this technique particularly dangerous is its ability to bypass tamper protection mechanisms that typically prevent unauthorized modification of security software. Compared to more complex evasion tactics like Bring Your Own Vulnerable Driver (BYOVD) attacks, BYOEDR is significantly simpler to execute while achieving highly effective results. The appeal of using legitimate tools like EDRs for attackers lies in their inherent trustworthiness. These tools are trusted, properly signed with valid certificates, and far less likely to trigger security alerts compared to traditional malware.
To combat BYOEDR attacks, security experts recommend implementing multiple defensive layers. Application control policies should explicitly block unauthorized EDR and RMM installations, while custom Indicators of Attack (IOAs) can detect unusual security software deployment patterns. Network-level protections through application-aware firewalls and Secure Web Gateways (SWGs) can prevent unauthorized downloads of security tools not approved for enterprise use.
Furthermore, fundamental security hygiene practices remain crucial. These include proper network segmentation, host hardening, regular patching, and limiting local administrator privileges. The researchers have also called for EDR vendors to strengthen validation processes for free trials and implement safeguards preventing agent hijacking between different tenants of the same product. These measures collectively reduce the attack surface and make initial compromise more difficult.