HackTool - EDRSilencer Execution - Filter Added
Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
Sigma rule (View on GitHub)
1title: HackTool - EDRSilencer Execution - Filter Added
2id: 98054878-5eab-434c-85d4-72d4e5a3361b
3status: test
4description: |
5 Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
6references:
7 - https://github.com/netero1010/EDRSilencer
8author: Thodoris Polyzos (@SmoothDeploy)
9date: 2024-01-29
10modified: 2024-01-30
11tags:
12 - attack.defense-evasion
13 - attack.t1562
14logsource:
15 product: windows
16 service: security
17 definition: 'Requirements: Audit Filtering Platform Policy Change needs to be enabled'
18detection:
19 selection:
20 EventID:
21 - 5441
22 - 5447
23 FilterName|contains: 'Custom Outbound Filter'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
Related rules
- Windows Filtering Platform Blocked Connection From EDR Agent Binary
- HackTool - EDRSilencer Execution
- IISReset Used to Stop IIS Services
- Diamond Sleet APT Scheduled Task Creation - Registry
- AWS SecurityHub Findings Evasion