WFP Filter Added via Registry

Rule Info

Name
WFP Filter Added via Registry
Author
Frack113
Description
Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
Reference
https://github.com/netero1010/EDRSilencer/blob/0e73a7037ec65c52894d8208e6f605a7da0a34a6/EDRSilencer.c
Date
2025-10-23 00:00:00
Modified
None
Id
1f1d8209-636e-4c6c-a137-781cca8b82f9
Tags
attack.defense-evasion attack.execution attack.t1562 attack.t1569.002
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=1f1d8209-636e-4c6c-a137-781cca8b82f9

Rule History

Author
Title
Date
Commit
frack113
Merge PR #5111 from @frack113 - Add `WFP Filter Added via Registry`
2025-10-28
7c001b64d
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022