EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

WFP Filter Added via Registry

Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.

MITRE ATT&CK

T1562T1569.002
defense-evasionexecution

Detection Query

selection:
  TargetObject|contains: \BFE\Parameters\Policy\Persistent\Filter\
filter_main_svchost:
  Image:
    - C:\Windows\System32\svchost.exe
    - C:\Windows\SysWOW64\svchost.exe
condition: selection and not 1 of filter_main_*

Author

Frack113

Created

2025-10-23

Data Sources

windowsRegistry Set Events

Platforms

windows

References

Tags

attack.defense-evasionattack.executionattack.t1562attack.t1569.002
Raw Content
title: WFP Filter Added via Registry
id: 1f1d8209-636e-4c6c-a137-781cca8b82f9
status: experimental
description: |
    Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
references:
    - https://github.com/netero1010/EDRSilencer/blob/0e73a7037ec65c52894d8208e6f605a7da0a34a6/EDRSilencer.c
    - https://www.huntress.com/blog/silencing-the-edr-silencers
    - https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html
author: Frack113
date: 2025-10-23
tags:
    - attack.defense-evasion
    - attack.execution
    - attack.t1562
    - attack.t1569.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\BFE\Parameters\Policy\Persistent\Filter\'
    filter_main_svchost:
        Image:
            - 'C:\Windows\System32\svchost.exe'
            - 'C:\Windows\SysWOW64\svchost.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium