HackTool - EDRSilencer Execution

Nov 1, 2024 · attack.defense-evasion attack.t1562 ·

Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.

Sigma rule (View on GitHub)

 1title: HackTool - EDRSilencer Execution
 2id: eb2d07d4-49cb-4523-801a-da002df36602
 3status: test
 4description: |
 5        Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.
 6references:
 7    - https://github.com/netero1010/EDRSilencer
 8author: '@gott_cyber'
 9date: 2024-01-02
10tags:
11    - attack.defense-evasion
12    - attack.t1562
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        - Image|endswith: '\EDRSilencer.exe'
19        - OriginalFileName: 'EDRSilencer.exe'
20        - Description|contains: 'EDRSilencer'
21    condition: selection
22falsepositives:
23    - Unlikely
24level: high

References

GitHub - netero1010/EDRSilencer: A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.

A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server. - netero1010/EDRSilencer

Read More

HackTool - EDRSilencer Execution

Sigma rule (View on GitHub)

References

GitHub - netero1010/EDRSilencer: A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.

Related rules