CISO Briefing: How to Hunt the Elastic Defend "File Deletion" Flaw (CVE-2025-37735). (IOCs & Detection Rules Included) — by CyberDudeBivash

By CyberDudeBivash · 01 Nov 2025 · cyberdudebivash.com · Intel on cyberbivash.blogspot.com

This is a decision-grade CISO brief. This is the **ultimate "Living off the Land" (LotL)** attack. The attacker *uses the EDR itself to kill the EDR*. Your automated alerts *will not fire*. This TTP is the new playbook for **ransomware** and corporate espionage, and you need to Threat Hunt for it *now*.

Phase 1: The "Self-Destruct" TTP (Using the EDR to Kill the EDR)

As a CISO, your EDR is supposed to be the "unbreakable shield." The **CVE-2025-37735** flaw in **Elastic Defend** exposes the fatal flaw in all EDR agents: **trust**.

The core issue lies in the file deletion routine. EDR agents must protect their configuration files, log databases, and kernel drivers from malicious deletion. They do this by placing a lock on the file and running checks *before* deletion.

The attacker's goal is not to *break* the agent, but to *trick the agent into killing itself*.

• **The Vulnerability (TOCTOU):** The attacker finds a flaw in the EDR agent's logic—likely a **Time-of-Check to Time-of-Use (TOCTOU)** race condition or a simple **symlink** vulnerability.
• **The Attack:** The attacker (running as a low-privilege `user`) exploits the flaw, causing the **Elastic Defend process itself** to execute a command that *deletes its own config file*.

Your EDR is blind to this because: **1) The process executing the `DeleteFile()` command is the *EDR agent itself*** (a "trusted" process). **2) There is no "malware.exe"** to flag. The EDR simply "stops working" because its brain is gone.

This is the ultimate EDR Bypass: using the EDR's own identity to bypass its file protection and eliminate the defense layer.

Phase 2: The Kill Chain (From "Silence" to Ransomware)

This is a CISO PostMortem because the attack is now silent and undetectable.

Stage 1: Initial Access (Low Privilege)

The attacker gains *any* low-privilege foothold (from a **phish** or **vulnerable web app**). They are running as a standard `user` or `www-data`.

Stage 2: Defense Evasion (The EDR Kill)

The attacker runs the exploit (CVE-2025-37735). The Elastic Defend agent silently *deletes its configuration files* and crashes, or enters an unusable state.
**Result:** Your endpoint is now running **NO EDR**. The blind spot is total.

Stage 3: The Ransomware Deployment

The attacker is now unmonitored. They have full freedom to deploy their **ransomware** (e.g., BlackCat, LockBit). They *first* run Mimikatz to steal Domain Admin credentials and *then* run the ransomware.

**The Only Alert:** Your SOC *only* receives a "Service Stopped" alert from your centralized Elastic management console. By the time they investigate, the machine is encrypted.

Exploit Chain (Engineering)

This is a Defense Evasion flaw (T1574.001) that requires a deep understanding of the EDR's architecture.

• Trigger: Low-privilege user executes a command that targets the EDR file system (e.g., using a symlink attack).
• Precondition: Unpatched Elastic Defend agent; low-privilege access.
• Sink (The Flaw): The agent's cleanup/log rotation routine (running as `SYSTEM`) *fails to correctly verify* the file path before calling `DeleteFile()`. The attacker points the deletion routine at a critical config file.
• Module/Build: `elastic-agent.exe` (Trusted) → `DeleteFile(C:\ProgramData\Elastic\config.yml)`.
• Patch Delta: The fix involves *canonicalizing* the file path and ensuring all deletion requests are validated against a pre-approved list.

Reproduction & Lab Setup (Safe)

You *must* test if your EDR is vulnerable to self-deletion.

• Harness/Target: A sandboxed Windows 11 VM with your vulnerable Elastic Defend agent installed.
• Test: 1) Get a low-privilege `user` shell. 2) Run the exploit PoC (which you must find/develop) that targets the EDR's configuration or log database.
• **The Critical IOC to Watch:** Does the EDR alert you that *the EDR agent itself* is attempting to delete a protected file? **The best EDRs will alert on this self-deletion attempt.**
• **Service Note:** Our **Red Team** specializes in EDR bypasses. We *will* find the flaw that allows a complete defense shutdown.
  Book an Adversary Simulation (Red Team) →

Detection & Hunting Playbook (The *New* SOC Mandate)

Your SOC *must* hunt for the *result* of this defense failure. This is your playbook.

• **Hunt TTP 1 (The #1 IOC): "Service Stopped."** This is your P1 alert. You *must* have an alert for the EDR agent reporting that its service has stopped.

  # SIEM / Windows Event Log Query (Pseudocode)
  SELECT * FROM windows_events
  WHERE
    (source = 'Service Control Manager' AND event_id = '7036')
    AND
    (description CONTAINS 'Elastic Defend' AND description CONTAINS 'stopped')
            

• **Hunt TTP 2 (The Follow-up):** After Hunt TTP 1 fires, the *next* critical alert is **Mimikatz** or **ransomware**. You *must* automate a response to quarantine the host *immediately* after the "Service Stopped" alert.
• **Hunt TTP 3 (The Low-and-Slow):** Hunt for the *initial* LotL access that got the attacker the low-privilege shell in the first place (e.g., `wscript.exe -> powershell.exe -e`).

Mitigation & Hardening (The CISO Mandate)

Patching is Step 1. Defense in depth is the fix for this "Trusted Process" bypass.

• **1. PATCH NOW (Today's #1 Fix):** This is your only priority. Apply the Elastic Defend agent patch for CVE-2025-37735 *immediately*.
• **2. Harden (The *Real* Zero-Trust Fix):**
  • **Application Control:** You *must* use **Windows Defender Application Control (WDAC)** or AppLocker to *block* all unknown executables.
  • **Network Quarantine:** Set up a policy that **automatically isolates any endpoint that reports "Service Stopped" for the EDR agent** from the network.

Audit Validation (Blue-Team)

Run this *today*. This is not a "patch"; it's an *audit*.

# 1. Check your version
# Run a query across your centralized Elastic console to confirm all agents are on the patched version.

# 2. Audit your Logs
# Run the "Hunt TTP 1" query *now* to see if any EDR services have stopped anomalously in the last 30 days.

# 3. Test your Isolation Policy
# Manually run `taskkill /f /im elastic-agent.exe` on a test machine.
# Does the machine get quarantined *within 60 seconds*? If not, your response time is too slow.
  

Recommended by CyberDudeBivash (Partner Links)

You need a layered defense. Here's our vetted stack for this specific threat.

CyberDudeBivash Services & Apps

FAQ

Q: What is the Elastic Defend flaw (CVE-2025-37735)?
A: It is a Local Privilege Escalation/Defense Evasion flaw. It allows a low-privilege attacker to exploit a weakness in the EDR agent's *own code* to delete critical system files, configuration files, or service files, effectively *disabling* the EDR agent itself without being detected.

Q: How does the attacker use the EDR to kill the EDR?
A: The attacker exploits a flaw (like a Symlink attack or TOCTOU race condition) to trick the EDR agent's *trusted, SYSTEM-level process* into deleting the EDR's *own files*. The EDR allows the action because the deleting process is *itself* (the trusted entity).

Q: We patched. Are we safe?
A: You are safe from *new* attacks using this flaw. You are *not* safe if an attacker *already* breached you. The attacker may have used a *prior* flaw to gain low-privilege access and is simply waiting to deploy the full payload. You MUST HUNT for the post-exploit behavior *now*.

Q: What is the #1 action to take *today*?
A: AUTOMATE ISOLATION. Set up an automated response that *immediately isolates* any host that reports the EDR agent has stopped ("Service Stopped" alert). Your MTTR (Mean Time to Respond) must be *seconds*, not minutes.

Timeline & Credits

This EDR Bypass TTP (T1574.001) is an active, ongoing campaign by multiple APTs. This specific flaw (CVE-2025-37735) was added to the CISA KEV catalog on or around Nov 1, 2025, due to *active exploitation* in the wild.
Credit: This analysis is based on active Incident Response engagements by the CyberDudeBivash threat hunting team.

References

• Elastic Security Advisory: CVE-2025-37735
• MITRE ATT&CK: T1548.002 (Bypass UAC)
• CyberDudeBivash MDR Service

Affiliate Disclosure: We may earn commissions from partner links at no extra cost to you. These are tools we use and trust. Opinions are independent.