Windows Filtering Platform Blocked Connection From EDR Agent Binary
Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.
Sigma rule (View on GitHub)
1title: Windows Filtering Platform Blocked Connection From EDR Agent Binary
2id: bacf58c6-e199-4040-a94f-95dea0f1e45a
3status: experimental
4description: |
5 Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents.
6 Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.
7references:
8 - https://github.com/netero1010/EDRSilencer
9 - https://github.com/amjcyber/EDRNoiseMaker
10 - https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983
11author: '@gott_cyber'
12date: 2024/01/08
13tags:
14 - attack.defense_evasion
15 - attack.t1562
16logsource:
17 product: windows
18 service: security
19 definition: 'Requirements: Audit Filtering Platform Connection needs to be enabled'
20detection:
21 selection:
22 EventID: 5157
23 Application|endswith:
24 - '\AmSvc.exe' # Cybereason
25 - '\cb.exe' # Carbon Black EDR
26 - '\CETASvc.exe' # TrendMicro Apex One
27 - '\CNTAoSMgr.exe' # TrendMicro Apex One
28 - '\CrAmTray.exe' # Cybereason
29 - '\CrsSvc.exe' # Cybereason
30 - '\CSFalconContainer.exe' # CrowdStrike Falcon
31 - '\CSFalconService.exe' # CrowdStrike Falcon
32 - '\CybereasonAV.exe' # Cybereason
33 - '\CylanceSvc.exe' # Cylance
34 - '\cyserver.exe' # Palo Alto Networks Traps/Cortex XDR
35 - '\CyveraService.exe' # Palo Alto Networks Traps/Cortex XDR
36 - '\CyvrFsFlt.exe' # Palo Alto Networks Traps/Cortex XDR
37 - '\EIConnector.exe' # ESET Inspect
38 - '\elastic-agent.exe' # Elastic EDR
39 - '\elastic-endpoint.exe' # Elastic EDR
40 - '\EndpointBasecamp.exe' # TrendMicro Apex One
41 - '\ExecutionPreventionSvc.exe' # Cybereason
42 - '\filebeat.exe' # Elastic EDR
43 - '\fortiedr.exe' # FortiEDR
44 - '\hmpalert.exe' # Sophos EDR
45 - '\hurukai.exe' # Harfanglab EDR
46 - '\LogProcessorService.exe' # SentinelOne
47 - '\mcsagent.exe' # Sophos EDR
48 - '\mcsclient.exe' # Sophos EDR
49 - '\MsMpEng.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
50 - '\MsSense.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
51 - '\Ntrtscan.exe' # TrendMicro Apex One
52 - '\PccNTMon.exe' # TrendMicro Apex One
53 - '\QualysAgent.exe' # Qualys EDR
54 - '\RepMgr.exe' # Carbon Black Cloud
55 - '\RepUtils.exe' # Carbon Black Cloud
56 - '\RepUx.exe' # Carbon Black Cloud
57 - '\RepWAV.exe' # Carbon Black Cloud
58 - '\RepWSC.exe' # Carbon Black Cloud
59 - '\sedservice.exe' # Sophos EDR
60 - '\SenseCncProxy.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
61 - '\SenseIR.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
62 - '\SenseNdr.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
63 - '\SenseSampleUploader.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
64 - '\SentinelAgent.exe' # SentinelOne
65 - '\SentinelAgentWorker.exe' # SentinelOne
66 - '\SentinelBrowserNativeHost.exe' # SentinelOne
67 - '\SentinelHelperService.exe' # SentinelOne
68 - '\SentinelServiceHost.exe' # SentinelOne
69 - '\SentinelStaticEngine.exe' # SentinelOne
70 - '\SentinelStaticEngineScanner.exe' # SentinelOne
71 - '\sfc.exe' # Cisco Secure Endpoint (Formerly Cisco AMP)
72 - '\sophos ui.exe' # Sophos EDR
73 - '\sophosfilescanner.exe' # Sophos EDR
74 - '\sophosfs.exe' # Sophos EDR
75 - '\sophoshealth.exe' # Sophos EDR
76 - '\sophosips.exe' # Sophos EDR
77 - '\sophosLivequeryservice.exe' # Sophos EDR
78 - '\sophosnetfilter.exe' # Sophos EDR
79 - '\sophosntpservice.exe' # Sophos EDR
80 - '\sophososquery.exe' # Sophos EDR
81 - '\sspservice.exe' # Sophos EDR
82 - '\TaniumClient.exe' # Tanium
83 - '\TaniumCX.exe' # Tanium
84 - '\TaniumDetectEngine.exe' # Tanium
85 - '\TMBMSRV.exe' # TrendMicro Apex One
86 - '\TmCCSF.exe' # TrendMicro Apex One
87 - '\TmListen.exe' # TrendMicro Apex One
88 - '\TmWSCSvc.exe' # TrendMicro Apex One
89 - '\Traps.exe' # Palo Alto Networks Traps/Cortex XDR
90 - '\winlogbeat.exe' # Elastic EDR
91 - '\WSCommunicator.exe' # TrendMicro Apex One
92 - '\xagt.exe' # Trellix EDR
93 condition: selection
94falsepositives:
95 - Unlikely
96level: high
References
-
A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server. - netero1010/EDRSilencer
Read More -
Detect WFP filters blocking EDR communications. Contribute to amjcyber/EDRNoiseMaker development by creating an account on GitHub.
Read More -
Here are some of the indicators that we can go for if the EDR telemetry data flow has been “blocked” due to any security events.
Read More
Related rules
- HackTool - EDRSilencer Execution
- Removal Of Index Value to Hide Schedule Task - Registry
- Removal Of SD Value to Hide Schedule Task - Registry
- Potential Suspicious Activity Using SeCEdit
- Diamond Sleet APT Scheduled Task Creation - Registry