WFP Filters Blocking EDR Communication - Registry

Rule Info

Name
WFP Filters Blocking EDR Communication - Registry
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects registry modifications where the Windows Filtering Platform (WFP) is used to block connections of security products such as EDRs, antivirus, and other security agents by altering firewall rules. This behavior could be indication of hacktools like EDRSilencer, which exploit WFP to disrupt EDR communications by creating filters for EDR services and processes.
Reference
https://github.com/netero1010/EDRSilencer
Date
2025-02-18 00:00:00
Modified
None
Id
85319dbe-79aa-47c1-af9f-43c1b4ea1f8c
Tags
attack.defense-evasion attack.t1562
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022