HackTool - EDRSilencer Execution - Filter Added
Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
Sigma rule (View on GitHub)
1title: HackTool - EDRSilencer Execution - Filter Added
2id: 98054878-5eab-434c-85d4-72d4e5a3361b
3status: experimental
4description: |
5 Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
6references:
7 - https://github.com/netero1010/EDRSilencer
8author: Thodoris Polyzos (@SmoothDeploy)
9date: 2024/01/29
10modified: 2024/01/30
11tags:
12 - attack.defense_evasion
13 - attack.t1562
14logsource:
15 product: windows
16 service: security
17 definition: 'Requirements: Audit Filtering Platform Policy Change needs to be enabled'
18detection:
19 selection:
20 EventID:
21 - 5441
22 - 5447
23 FilterName|contains: 'Custom Outbound Filter'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
-
A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server. - netero1010/EDRSilencer
Read More
Related rules
- Sysmon Application Crashed
- Windows Defender Exclusions Added - PowerShell
- Windows Firewall Disabled via PowerShell
- Write Protect For Storage Disabled
- Windows Filtering Platform Blocked Connection From EDR Agent Binary