WFP Filter Added via Registry

Rule Info

Name
WFP Filter Added via Registry
Author
Frack113
Description
Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
Reference
https://github.com/netero1010/EDRSilencer/blob/0e73a7037ec65c52894d8208e6f605a7da0a34a6/EDRSilencer.c
Date
2025-10-23 00:00:00
Modified
None
Id
1f1d8209-636e-4c6c-a137-781cca8b82f9
Tags
attack.execution attack.defense-impairment attack.t1685 attack.t1569.002
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=1f1d8209-636e-4c6c-a137-781cca8b82f9

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #5966 from @nasbench - Update mitre tags to use attack v19
2026-04-29
34c5d66c2
frack113
Merge PR #5111 from @frack113 - Add `WFP Filter Added via Registry`
2025-10-28
7c001b64d
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022