This rule detects potential execution of a bespoke tool named EDRSilencer, designed to block outbound traffic from Endpoint Detection and Response (EDR) processes using Windows Filtering Platform (WFP) APIs. It targets evidence of the tool launching (EDRSilencer.exe) or child/posture processes that indicate filtering activity (e.g., processes containing 'blocked' in their command line, excluding benign variants). The detection relies on endpoint telemetry from Sysmon (process creation events), Windows Security event logs (4688), and CrowdStrike ProcessRollup2 data, mapped to the Endpoint data model. The SPL query aggregates on process information and related metadata (vendor, user, hashes, parent process, command line, and file paths) and applies a dedicated filter macro (windows_edrsilencer_execution_filter) to normalize results. An associated risk-based alert (RBA) tags the event as potential EDR tampering, with a message: “Potential EDRSilencer execution observed on $dest$ via $process$.” The rule surfaces drilldowns for per-user/destination context and last 7 days of related risk events. It includes explicit known false positives (legitimate maintenance or security workflows) and references a public repository for the tool. A true-positive test is provided using sample attack data. Overall, the rule aims to identify attempts to disable or suppress EDR telemetry by manipulating process activity and outbound filtering.