sigmahighHunting

HackTool - EDRSilencer Execution

Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.

MITRE ATT&CK

T1562

defense-evasion

Detection Query

selection:
  - Image|endswith: \EDRSilencer.exe
  - OriginalFileName: EDRSilencer.exe
  - Description|contains: EDRSilencer
condition: selection

Author

@gott_cyber

Created

2024-01-02

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://github.com/netero1010/EDRSilencer

Tags

attack.defense-evasionattack.t1562

Raw Content

title: HackTool - EDRSilencer Execution
id: eb2d07d4-49cb-4523-801a-da002df36602
status: test
description: |
    Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.
references:
    - https://github.com/netero1010/EDRSilencer
author: '@gott_cyber'
date: 2024-01-02
tags:
    - attack.defense-evasion
    - attack.t1562
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\EDRSilencer.exe'
        - OriginalFileName: 'EDRSilencer.exe'
        - Description|contains: 'EDRSilencer'
    condition: selection
falsepositives:
    - Unlikely
level: high