Techniques
Sample rules
Windows EDRSilencer Execution
- source: splunk
- technicques:
- T1685
Description
Detects the usage of EDRSilencer. Inspired by the closed-source FireBlock tool from MdSec NightHawk, this custom tool was developed to block outbound traffic of running Endpoint Detection and Response (EDR) processes using Windows Filtering Platform (WFP) APIs. Its features include searching for running EDR processes and applying WFP filters to block outbound traffic, adding filters for specific processes, and removing filters either individually or globally. The tool includes a custom implementation to avoid file handle access issues with EDR processes by bypassing the CreateFileW API. It supports a wide range of EDRs, including Microsoft Defender, Carbon Black, SentinelOne, and more, though further testing on various EDRs is recommended. The tool has been tested on Windows 10 and Windows Server 2016, and its usage involves simple commands for blocking or unblocking traffic.
Detection logic
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.process_name="EDRSilencer.exe"
OR
(
Processes.process="*blockedr *"
NOT Processes.process="*blockedreport*"
)
by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash
Processes.parent_process_name Processes.parent_process_exec Processes.action
Processes.dest Processes.process_current_directory Processes.process_path
Processes.process_integrity_level Processes.original_file_name Processes.parent_process
Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id
Processes.process_guid Processes.process_id Processes.user Processes.process_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_edrsilencer_execution_filter`