Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

HackTool - EDRSilencer Execution - Filter Added

Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Thodoris PolyzosCreated Mon Jan 29Updated Tue Jan 3098054878-5eab-434c-85d4-72d4e5a3361bwindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security

Definition

Requirements: Audit Filtering Platform Policy Change needs to be enabled

Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID:
            - 5441
            - 5447
        FilterName|contains: 'Custom Outbound Filter'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
98054878-5eab-434c-85d4-72d4e5a3361b
Status
test
Level
high
Type
Detection
Created
Mon Jan 29
Modified
Tue Jan 30
Author
Thodoris Polyzos
Path
rules/windows/builtin/security/win_security_hktl_edr_silencer.yml
Raw Tags
attack.defense-evasionattack.t1562
View on GitHub