sigmahighHunting

HackTool - EDRSilencer Execution - Filter Added

Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.

MITRE ATT&CK

T1562

defense-evasion

Detection Query

selection:
  EventID:
    - 5441
    - 5447
  FilterName|contains: Custom Outbound Filter
condition: selection

Author

Thodoris Polyzos (@SmoothDeploy)

Created

2024-01-29

Data Sources

windowssecurity

Platforms

windows

References

https://github.com/netero1010/EDRSilencer

Tags

attack.defense-evasionattack.t1562

Raw Content

title: HackTool - EDRSilencer Execution - Filter Added
id: 98054878-5eab-434c-85d4-72d4e5a3361b
status: test
description: |
    Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
references:
    - https://github.com/netero1010/EDRSilencer
author: Thodoris Polyzos (@SmoothDeploy)
date: 2024-01-29
modified: 2024-01-30
tags:
    - attack.defense-evasion
    - attack.t1562
logsource:
    product: windows
    service: security
    definition: 'Requirements: Audit Filtering Platform Policy Change needs to be enabled'
detection:
    selection:
        EventID:
            - 5441
            - 5447
        FilterName|contains: 'Custom Outbound Filter'
    condition: selection
falsepositives:
    - Unknown
level: high