
Summary
This detection rule identifies the execution of the EDRSilencer tool, a malicious utility designed to exploit the Windows Filtering Platform (WFP). The primary function of EDRSilencer is to circumvent Endpoint Detection and Response (EDR) solutions by blocking outbound communications of EDR agents. The rule relies on monitoring specific Windows Event IDs (5441 and 5447) that are linked to filtering policy changes, particularly looking for events that involve the application of a 'Custom Outbound Filter'. Such modifications alert security teams to possible attempts of defenses evasion by adversaries. For the detection to be effective, it is critical that the system has the Audit Filtering Platform Policy Change audit enabled. Given the level of sophistication in evasive techniques employed by threat actors, the identification of EDRSilencer's execution is crucial for maintaining the integrity of endpoint security solutions. False positives are noted as 'Unknown', reflecting the need for careful evaluation of detected events.
Categories
- Endpoint
- Windows
Data Sources
- Windows Registry
- Process
- Logon Session
Created: 2024-01-29