Tier Zero Security has announced the release of an open-source telemetry lock designed to block EDR telemetry through a process of “person in the middle” and filtering network traffic.
The EDR lock utilizes IPTABLES to filter network traffic, targeting IP addresses based on servers transmitted in the TLS Client Hello package and a list of blocked servers provided in the file.
To use the tool, users must first clone the repository on GitHub, navigate to the project directory, set up a Python virtual environment, and install necessary dependencies like Scapy. Once the virtual environment is activated, users can turn on the redress of packages and launch the lock.
An example command for launching the tool is: python3 edr_blocker.py -i eth0 -f mde_block.txt -t 192.168.50 -gw 192.168.0.1
The main functionalities of the lock include monitoring blocked IP addresses, adding rules for IPTABLES, and cleaning these rules. Users have commands available to check blocked IP addresses and the number of blocked packages, as well as to add and delete rules for IPTABLES.
Tier Zero Security emphasizes that the provided lists of blocked servers are not exhaustive and may need adjustments depending on specific use cases.
For more detailed information and installation guidance, visit the GitHub page.