Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Windows Filtering Platform Blocked Connection From EDR Agent Binary

Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
@gott_cyberCreated Mon Jan 08bacf58c6-e199-4040-a94f-95dea0f1e45awindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security

Definition

Requirements: Audit Filtering Platform Connection needs to be enabled

Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID: 5157
        Application|endswith:
            - '\AmSvc.exe' # Cybereason
            - '\cb.exe' # Carbon Black EDR
            - '\CETASvc.exe' # TrendMicro Apex One
            - '\CNTAoSMgr.exe' # TrendMicro Apex One
            - '\CrAmTray.exe' # Cybereason
            - '\CrsSvc.exe' # Cybereason
            - '\CSFalconContainer.exe' # CrowdStrike Falcon
            - '\CSFalconService.exe' # CrowdStrike Falcon
            - '\CybereasonAV.exe' # Cybereason
            - '\CylanceSvc.exe' # Cylance
            - '\cyserver.exe' # Palo Alto Networks Traps/Cortex XDR
            - '\CyveraService.exe' # Palo Alto Networks Traps/Cortex XDR
            - '\CyvrFsFlt.exe' # Palo Alto Networks Traps/Cortex XDR
            - '\EIConnector.exe' # ESET Inspect
            - '\elastic-agent.exe' # Elastic EDR
            - '\elastic-endpoint.exe' # Elastic EDR
            - '\EndpointBasecamp.exe' # TrendMicro Apex One
            - '\ExecutionPreventionSvc.exe' # Cybereason
            - '\filebeat.exe' # Elastic EDR
            - '\fortiedr.exe' # FortiEDR
            - '\hmpalert.exe' # Sophos EDR
            - '\hurukai.exe' # Harfanglab EDR
            - '\LogProcessorService.exe' # SentinelOne
            - '\mcsagent.exe' # Sophos EDR
            - '\mcsclient.exe' # Sophos EDR
            - '\MsMpEng.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
            - '\MsSense.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
            - '\Ntrtscan.exe' # TrendMicro Apex One
            - '\PccNTMon.exe' # TrendMicro Apex One
            - '\QualysAgent.exe' # Qualys EDR
            - '\RepMgr.exe' # Carbon Black Cloud
            - '\RepUtils.exe' # Carbon Black Cloud
            - '\RepUx.exe' # Carbon Black Cloud
            - '\RepWAV.exe' # Carbon Black Cloud
            - '\RepWSC.exe' # Carbon Black Cloud
            - '\sedservice.exe' # Sophos EDR
            - '\SenseCncProxy.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
            - '\SenseIR.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
            - '\SenseNdr.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
            - '\SenseSampleUploader.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
            - '\SentinelAgent.exe' # SentinelOne
            - '\SentinelAgentWorker.exe' # SentinelOne
            - '\SentinelBrowserNativeHost.exe' # SentinelOne
            - '\SentinelHelperService.exe' # SentinelOne
            - '\SentinelServiceHost.exe' # SentinelOne
            - '\SentinelStaticEngine.exe' # SentinelOne
            - '\SentinelStaticEngineScanner.exe' # SentinelOne
            - '\sfc.exe' # Cisco Secure Endpoint (Formerly Cisco AMP)
            - '\sophos ui.exe' # Sophos EDR
            - '\sophosfilescanner.exe' # Sophos EDR
            - '\sophosfs.exe' # Sophos EDR
            - '\sophoshealth.exe' # Sophos EDR
            - '\sophosips.exe' # Sophos EDR
            - '\sophosLivequeryservice.exe' # Sophos EDR
            - '\sophosnetfilter.exe' # Sophos EDR
            - '\sophosntpservice.exe' # Sophos EDR
            - '\sophososquery.exe' # Sophos EDR
            - '\sspservice.exe' # Sophos EDR
            - '\TaniumClient.exe' # Tanium
            - '\TaniumCX.exe' # Tanium
            - '\TaniumDetectEngine.exe' # Tanium
            - '\TMBMSRV.exe' # TrendMicro Apex One
            - '\TmCCSF.exe' # TrendMicro Apex One
            - '\TmListen.exe' # TrendMicro Apex One
            - '\TmWSCSvc.exe' # TrendMicro Apex One
            - '\Traps.exe' # Palo Alto Networks Traps/Cortex XDR
            - '\winlogbeat.exe' # Elastic EDR
            - '\WSCommunicator.exe' # TrendMicro Apex One
            - '\xagt.exe' # Trellix EDR
    condition: selection
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
github.com
2
Resolving title…
github.com
3
Resolving title…
ghoulsec.medium.com
MITRE ATT&CK
Rule Metadata
Rule ID
bacf58c6-e199-4040-a94f-95dea0f1e45a
Status
test
Level
high
Type
Detection
Created
Mon Jan 08
Author
@gott_cyber
Path
rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml
Raw Tags
attack.defense-evasionattack.t1562
View on GitHub