HackTool - EDRSilencer Execution
Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.
Sigma rule (View on GitHub)
1title: HackTool - EDRSilencer Execution
2id: eb2d07d4-49cb-4523-801a-da002df36602
3status: experimental
4description: |
5 Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.
6references:
7 - https://github.com/netero1010/EDRSilencer
8author: '@gott_cyber'
9date: 2024-01-02
10tags:
11 - attack.defense-evasion
12 - attack.t1562
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 - Image|endswith: '\EDRSilencer.exe'
19 - OriginalFileName: 'EDRSilencer.exe'
20 - Description|contains: 'EDRSilencer'
21 condition: selection
22falsepositives:
23 - Unlikely
24level: high
References
Related rules
- AWS SecurityHub Findings Evasion
- Azure Kubernetes Events Deleted
- ETW Logging Disabled For SCM
- ETW Logging Disabled For rpcrt4.dll
- ETW Logging Disabled In .NET Processes - Registry