HackTool - EDRSilencer Execution - Filter Added

Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.

Sigma rule (View on GitHub)

 1title: HackTool - EDRSilencer Execution - Filter Added
 2id: 98054878-5eab-434c-85d4-72d4e5a3361b
 3status: test
 4description: |
 5        Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
 6references:
 7    - https://github.com/netero1010/EDRSilencer
 8author: Thodoris Polyzos (@SmoothDeploy)
 9date: 2024-01-29
10modified: 2024-01-30
11tags:
12    - attack.defense-evasion
13    - attack.t1562
14logsource:
15    product: windows
16    service: security
17    definition: 'Requirements: Audit Filtering Platform Policy Change needs to be enabled'
18detection:
19    selection:
20        EventID:
21            - 5441
22            - 5447
23        FilterName|contains: 'Custom Outbound Filter'
24    condition: selection
25falsepositives:
26    - Unknown
27level: high

References

Related rules

to-top