A recent blog by Elastic Security Labs details GHOSTENGINE, a crypto miner that leverages an intrusion set (HIDDENSHOVEL) to disable endpoint security solutions (EDRs) on a victim host. While crypto miners may not pose a grave threat to an enterprise, the usage of anti-EDR functions is dangerous and likely to increase in prevalence. In today's cybersecurity landscape, confidence and reliance upon an enterprise endpoint solution are commonplace; this further increases when leveraging XDR capabilities to add network detection functions. While EDR is a critical component of any cybersecurity framework, Network Detection and Response (NDR) solutions play an equally important role as new vulnerabilities emerge.
In this example, GHOSTENGINE leverages various vulnerabilities and exploitation tools to disable components of EDRs to execute crypto mining functions. Once the EDR is rendered ineffective, few security solutions are left to detect and alert the enterprise to the activity. Network detection solutions, like IronNet’s Collective Defense, are designed to detect network anomalies and are unaffected by bypass techniques like those used in this campaign. In most cases, malware needs to communicate externally to command and control (C2) infrastructure for secondary payload downloads, additional instructions, and data exfiltration. All of these are opportunities for an enterprise network solution to detect and alert, regardless of an EDR’s effectiveness.
IronNet Detection Spotlight: GHOSTENGINE
Threat Intelligence Overview:
» 157 exclusive IronDefense NDR detections able to detect various aspects of GHOSTENGINE Command and Control (C2)
» 5 Collective Defense correlations for GHOSTENGINE Network alerts
» 1 unique indicator discovered by IronRadar fingerprinting the GHOSTENGINE X.509 certificate
Custom Network Detection Rules:
| Rule Name |
Description |
| Outbound Suspicious Powershell Activity |
Detects suspicious file downloads via Powershell or direct to IP communications via Powershell |
| Outbound CURL to DottedQuad |
Detects traffic that is to a dotted quad using curl as a user agent |
IOCs:
| 93.95.228[.]47 |
GHOSTENGINE C2 |
| 93.184.221[.]240 |
GHOSTENGINE C2 |
| 111.90.143[.]130 |
GHOSTENGINE C2 |
Conclusion
As outlined in the Gartner SOC Visibility Triad, an organization should have a combination of EDR, NDR, and SIEM for complete protection and visibility. GHOSTENGINE’s usage of EDR-killing capabilities highlights the importance of multiple layers of protection, enabling one tool to take over when another fails. IronNet’s Collective Defense solution provides organizations with powerful network detections and community correlations to detect activity like this, even when it may be missed by an endpoint tool. As a network tap, requiring no modifications to client machines, IronNet's solution is not vulnerable to client-side bypass techniques. While GHOSTENGINE may be a crypto miner aimed at making money at scale, the next usage of this technique could pose a much greater cyber risk.
_________
INTERESTED IN LEARNING MORE ABOUT COLLECTIVE DEFENSE?
Contact us to speak to our team of cybersecurity experts or request a demo to see Collective Defense in action.
Facts Only
Elastic Security Labs published a blog detailing GHOSTENGINE, a crypto miner.
GHOSTENGINE uses an intrusion set named HIDDENSHOVEL to disable endpoint security solutions (EDRs).
The malware targets victim hosts to execute cryptocurrency mining functions.
GHOSTENGINE exploits vulnerabilities and tools to bypass EDR components.
Network Detection and Response (NDR) solutions, such as IronNet’s Collective Defense, detect network anomalies unaffected by EDR bypass techniques.
IronNet’s IronDefense NDR detected 157 unique aspects of GHOSTENGINE’s C2 activity.
Five Collective Defense correlations were identified for GHOSTENGINE network alerts.
IronRadar discovered a unique X.509 certificate indicator linked to GHOSTENGINE.
Custom detection rules include monitoring for suspicious PowerShell activity and CURL traffic to dotted-quad IPs.
Identified GHOSTENGINE C2 servers include IPs: 93.95.228.47, 93.184.221.240, and 111.90.143.130.
The Gartner SOC Visibility Triad recommends combining EDR, NDR, and SIEM for comprehensive security.
IronNet’s solution operates as a network tap, avoiding client-side modifications and bypass risks.
Executive Summary
Full Take
The strongest version of this narrative underscores a critical shift in cybersecurity threats: the weaponization of anti-EDR techniques by relatively low-stakes malware like GHOSTENGINE. The analysis rightly highlights how such methods could escalate, posing graver risks if adopted by advanced persistent threats. The emphasis on layered defenses—EDR, NDR, and SIEM—aligns with established frameworks, and the case for NDR’s resilience against client-side evasion is compelling. IronNet’s Collective Defense is positioned as a robust solution, leveraging network-level visibility and community-driven intelligence to detect threats that bypass endpoint protections.
Pattern scan reveals a subtle appeal to authority (ARC-0012 Borrowed Credibility) through references to Gartner’s SOC Visibility Triad, which lends weight to the argument for multi-layered security. The framing of GHOSTENGINE as a "harbinger" of worse attacks introduces a mild fear appeal (ARC-0031 Preemptive Threat Inflation), though it remains grounded in plausible technical evolution. The narrative avoids overt distortion but leans into the assumption that EDR alone is insufficient—a valid point, though the commercial interest in promoting NDR solutions is an unstated context.
Root cause: The paradigm here is the arms race between attackers and defenders, where even commoditized malware now employs tactics once reserved for state-sponsored actors. The unstated assumption is that enterprises over-rely on EDR, creating a single point of failure. Historically, this echoes the cycle of security tools being bypassed, forcing defenders to adopt deeper visibility layers—from signatures to heuristics to behavioral analysis, and now to network-centric detection.
Implications for human agency: Organizations face a dilemma—balancing cost, complexity, and effectiveness in security stacks. The push for NDR solutions benefits vendors like IronNet but also empowers defenders with tools less susceptible to client-side manipulation. The second-order consequence is a potential overcorrection, where enterprises invest in redundant layers without addressing foundational gaps like patch management or user training.
Bridge questions: How might smaller organizations, lacking resources for multi-layered defenses, adapt to this threat landscape? What evidence would indicate that anti-EDR techniques are being adopted by more destructive malware families? Could the reliance on network-level detection introduce new blind spots, such as encrypted or peer-to-peer C2 traffic?
Counterstrike scan: A coordinated influence campaign pushing this narrative would exaggerate the immediacy of the threat, downplay the effectiveness of existing EDR solutions, and frame NDR as the sole remedy—possibly while omitting cost or implementation challenges. The actual content avoids these pitfalls, presenting a measured technical assessment with clear commercial ties but no overt manipulation. The alignment with the hypothetical attack playbook is minimal, suggesting a legitimate security discussion rather than a coordinated push.
