On January 5th, 2026, the NYS Intelligence Center sent a note stating that they were observing threat actors successfully using EDR evasion tools to hide their activities and extend their undetected access to networks in NYS.
Once again, not marketing bullets, but technical facts. I have been warning about EDR evasion for almost 18 months.
The concept is simple. The threat actor adds a tool to the network that blocks the EDR telemetry feed from phoning home to report what is happening. This creates a blind spot on the network. This hides malicious activities like network mapping or ransomware deployment.
This is a substantial threat to the overall protection scheme for your network.
This isn't a case of EDR's ineffectiveness, but rather Kyle at Huntress' view that "everything can be hacked".
The question then becomes, what does one do when one of the foundational protection tools isn't fully reporting?
I have a couple of thoughts:
1 - NO GAPS. You should aggressively maintain 100% deployment of your EDR endpoint solution. Endpoints not reporting should stand out as an unusual event. You will need to promptly investigate why this endpoint isn't reporting and take appropriate action.
2- Plan B. Every Windows endpoint comes with the default Windows Security antivirus. Despite being free, this tool consistently ranks among the top traditional antivirus offerings. It also knows how to switch to a secondary AV reporting tool if a more substantial EDR product, such as our flagship SentinelOne, is installed. Instead of uninstalling it, leave it there. I just want it to hopefully report that the main EDR is being hacked. It is much harder for a threat actor to hack into two AV/EDR products simultaneously. We want the bad guys to make noise so it's easier for us to find them.
3 - Defense in Depth = Layers of protection. We must anticipate that a security layer may not be effective against all threats in all circumstances. That is why we need to adopt different protection strategies, viewing your network and endpoints from different perspectives. If one layer is blind to the attack, another layer hopefully should see the activity. "Eyes on glass" and "eyes on firewall" offered by a SOC service are a great way to augment your network defenses.
4 - Look for behaviors. The bad guys didn't breach your network just to sit on a random endpoint. They came to steal your information and money. The reason the EDR telemetry went dark is that they are most likely setting up shop for what they really want.
That means there is a really good chance that those dark EDR agents are still communicating back through your firewall to the bad guys. That is normal, routine communications. If someone looks for the traffic with another tool, it is probably there.
That is eyes on glass and eyes on firewall looking for suspicious or malicious traffic.
Acture also has solutions that not only evaluate the firewall traffic but also correlate DNS requests with malicious phishing email links to block and identify the source of the traffic, so you can quickly contain and kill the incursion.
Despite advanced evasion methods, we can still observe the behaviors using other means.
It is a game of whack-a-mole, but our tools shut down threats as they pop up, making it harder for anyone to hide from you.
It is all a matter of planning. We'd love to kill bad guys. We are excited to have that conversation and show you what is possible in a modern, layered security defense.
Give us a call and let's figure it out together.
Scott F. Quimby, Senior Technical Advisor, vCISO, CISSP
You must be logged in to post a comment.