HackTool - EDRSilencer Execution

Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.

Sigma rule (View on GitHub)

 1title: HackTool - EDRSilencer Execution
 2id: eb2d07d4-49cb-4523-801a-da002df36602
 3status: experimental
 4description: |
 5        Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.
 6references:
 7    - https://github.com/netero1010/EDRSilencer
 8author: '@gott_cyber'
 9date: 2024-01-02
10tags:
11    - attack.defense-evasion
12    - attack.t1562
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        - Image|endswith: '\EDRSilencer.exe'
19        - OriginalFileName: 'EDRSilencer.exe'
20        - Description|contains: 'EDRSilencer'
21    condition: selection
22falsepositives:
23    - Unlikely
24level: high

References

Related rules

to-top