EDRSilencer: When Your EDR Is Running, Detecting Everything, and Alerting on Nothing – The Silent Threat to Modern SOCs + Video

Listen to this Post

Featured Image

Introduction:

Your EDR is running. It’s detecting every suspicious process, every anomalous behavioral pattern, every potential indicator of compromise. But your SOC sees nothing. No alerts. No telemetry. Complete radio silence. This isn’t a system failure—it’s a targeted attack. EDRSilencer, an open-source red team tool originally designed for penetration testing, has been weaponized by threat actors to exploit the Windows Filtering Platform (WFP) and silently sever the connection between EDR agents and their cloud-based management consoles. The agent keeps running, detections keep firing internally, but nothing reaches the cloud. Your security team is flying blind.

Learning Objectives:

  • Understand how EDRSilencer leverages the Windows Filtering Platform (WFP) to block EDR outbound traffic without terminating security processes
  • Learn to identify and monitor for WFP filter creation, hosts file manipulation, NRPT rules, and other defense evasion techniques
  • Develop detection and mitigation strategies to counter EDRSilencer and similar tools in your enterprise environment
  1. Understanding the Windows Filtering Platform (WFP) and EDRSilencer’s Core Mechanism

The Windows Filtering Platform (WFP) is a powerful framework built into Windows that provides APIs for developers to create custom rules for filtering network traffic based on criteria such as IP addresses, ports, protocols, and applications. It’s the backbone of Windows Firewall and is used by legitimate security applications to protect systems. EDRSilencer weaponizes this legitimate framework by dynamically identifying running EDR processes and creating WFP filters to block their outbound network communications on both IPv4 and IPv6.

The tool doesn’t terminate or uninstall EDR products—which would raise immediate alarms—it simply prevents them from sending telemetry or alerts to their management consoles. The EDR agent continues running, detections continue firing locally, but nothing reaches the cloud. The filters are persistent, surviving system reboots.

Step‑by‑step guide: How EDRSilencer Works

  1. Process Discovery: The tool scans the system for running processes associated with known EDR agents using a hardcoded list of process names. Supported EDRs include Microsoft Defender for Endpoint, SentinelOne, CrowdStrike, Carbon Black, Cortex XDR, Elastic EDR, FortiEDR, ESET, TrendMicro, and more.

  2. WFP Filter Creation: For each detected EDR process, EDRSilencer uses WFP APIs to add a filter that blocks all outbound IPv4 and IPv6 traffic from that process. The tool uses a custom implementation of `FwpmGetAppIdFromFileName0` to construct the application ID without invoking CreateFileW, thereby bypassing EDR self-defense mechanisms that would otherwise detect and block the attempt.

  3. Filter Persistence: The WFP filters are persistent and remain active across system reboots, ensuring continued EDR silencing.

  4. In-Memory Execution: EDRSilencer supports execution via C2 frameworks with in-memory PE execution modules (e.g., BruteRatel’s memexec), enabling fileless deployment.

EDRSilencer Usage Commands:

EDRSilencer.exe blockedr  Block all detected EDR processes
EDRSilencer.exe block "C:\Path\Process.exe"  Block specific process
EDRSilencer.exe unblockall  Remove all WFP filters
EDRSilencer.exe unblock <filter_id>  Remove specific filter by ID

Compilation (Cross-Platform):

x86_64-w64-mingw32-gcc EDRSilencer.c utils.c -o EDRSilencer.exe -lfwpuclnt

2. Alternative Evasion Techniques: Hosts File Manipulation

Beyond WFP filters, attackers employ additional techniques to disrupt EDR communications. The hosts file (C:\Windows\System32\drivers\etc\hosts on Windows, `/etc/hosts` on Linux) is the first point of lookup for DNS hostname resolution. By modifying the hosts file, adversaries can redirect EDR telemetry endpoints to non-existent or malicious IP addresses, effectively null-routing EDR outbound communications.

Step‑by‑step guide: Hosts File Manipulation for EDR Evasion

  1. Identify EDR Telemetry Endpoints: Determine the FQDNs your EDR solution uses for telemetry upload (e.g., .defender.microsoft.com, .sentinelone.net).

  2. Add Null Routing Entries: Append entries to the hosts file redirecting these domains to `127.0.0.1` or 0.0.0.0:

    127.0.0.1 .defender.microsoft.com
    127.0.0.1 telemetry.sentinelone.net
    

3. Flush DNS Cache: Apply changes immediately:

  • Windows: `ipconfig /flushdns`
    – Linux: `sudo systemd-resolve –flush-caches` or `sudo service nscd restart`
  1. Monitor for Changes: Security teams should monitor the hosts file for unauthorized modifications.

  2. Network Routing Policy Table (NRPT) Rules for DNS-Based Blocking

NRPT (Name Resolution Policy Table) is a Windows feature that allows administrators to configure custom DNS resolution policies for specific namespaces. Attackers can abuse NRPT to redirect EDR telemetry domains to sinkhole addresses, achieving the same effect as hosts file manipulation but at a deeper system level.

Step‑by‑step guide: NRPT Abuse for EDR Evasion

  1. Access NRPT Configuration: Use Group Policy or the `Set-DnsClientNrptRule` PowerShell cmdlet:
    Add-DnsClientNrptRule -1amespace ".defender.microsoft.com" -1ameServers "127.0.0.1"
    

  2. Apply Null Sinkholing: Configure the NRPT rule to redirect all queries for EDR domains to a non-routable address.

  3. Verify Enforcement: Use `nslookup` to confirm that queries are being redirected.

  4. Detection: Monitor for unexpected NRPT rule additions via Event ID 5447 (Filtering Platform Policy Change).

4. Firewall Rules and Null Sinkholing

Attackers can also create local firewall rules to block outbound connections from EDR processes. Windows Firewall with Advanced Security (WFAS) allows granular outbound blocking rules based on process paths or executable names.

Step‑by‑step guide: Firewall-Based EDR Blocking

1. Create Outbound Block Rule:

New-1etFirewallRule -DisplayName "Block EDR Telemetry" -Direction Outbound -Program "C:\Program Files\EDR\edr.exe" -Action Block
  1. Block by Port/IP: Alternatively, block specific destination IPs or ports:
    New-1etFirewallRule -DisplayName "Block EDR Cloud" -Direction Outbound -RemoteAddress 203.0.113.0/24 -Action Block
    

  2. Detection: Monitor for firewall rule creation events (Event ID 2004/2005) and unexpected outbound block rules.

Linux Counterpart (iptables/nftables):

sudo iptables -A OUTPUT -d 203.0.113.0/24 -j DROP
sudo iptables -A OUTPUT -m owner --uid-owner edr-user -j DROP

5. Detecting EDRSilencer: Sigma Rules and SIEM Queries

Defenders must proactively monitor for EDRSilencer execution and WFP filter creation. Several Sigma rules have been developed to detect this activity.

Sigma Rule: WFP Filter Added via Registry

Detects registry modifications that add Windows Filtering Platform (WFP) filters under HKLM\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\.

Sigma Rule: HackTool – EDRSilencer Execution – Filter Added
Detects execution of EDRSilencer based on Event ID 5441 and 5447 with filter names containing ‘Custom Outbound Filter’.

Splunk Detection Query:

| tstats count min(_time) as firstTime max(_time) as lastTime 
from datamodel=Endpoint.Processes where 
Processes.process_name="EDRSilencer.exe" OR 
(Processes.process="blockedr " NOT Processes.process="blockedreport") 
by Processes.process Processes.vendor_product

Windows Event Log Monitoring:

  • Enable Audit Process Creation (Success) to capture EDRSilencer.exe execution
  • Enable Audit Filtering Platform Policy Change to capture WFP filter additions (Event ID 5441, 5447)
  • Monitor registry modifications under `HKLM\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\`

Sysmon Configuration:

<ProcessCreate onmatch="exclude"/>

6. Mitigation and Hardening Strategies

Endpoint Hardening:

  • Enable Attack Surface Reduction (ASR) rules to block process injection and unauthorized WFP filter creation
  • Restrict administrative privileges and enforce least privilege principles
  • Deploy application control (AppLocker/Windows Defender Application Control) to block untrusted executables

Network-Level Defenses:

  • Implement Zero Trust DNS models to mitigate DNS-based attack vectors
  • Deploy network-based EDR telemetry monitoring to detect anomalies in EDR cloud communication patterns
  • Use egress filtering to detect and alert on EDR agents going silent

Continuous Monitoring:

  • Conduct regular threat hunting for WFP filter anomalies and process execution patterns
  • Ingest IOCs and techniques into endpoint security solutions
  • Consider behavior-based detection tools over signature-based tools

What Undercode Say:

  • Key Takeaway 1: EDRSilencer represents a paradigm shift in defense evasion—it doesn’t kill the EDR; it simply severs its voice. This makes detection significantly harder because the EDR remains “operational” from a surface-level inspection, yet completely blind from a SOC perspective.

  • Key Takeaway 2: The weaponization of legitimate Windows frameworks like WFP underscores a critical reality: security tools are only as effective as the telemetry they can transmit. If your SOC relies exclusively on cloud-based alerting without monitoring for WFP filter creation, you have a fundamental blind spot.

Analysis:

The open-source nature of EDRSilencer (1,446 stars, 184 forks on GitHub) has democratized advanced defense evasion techniques, making them accessible to threat actors with varying technical skill levels. The tool’s ability to run in-memory via C2 frameworks enables fileless execution, bypassing traditional file-based detection. Furthermore, the persistence of WFP filters across reboots ensures continued EDR silencing without requiring persistent presence of the tool itself. The threat landscape is evolving rapidly—EDR evasion tools are now sold as subscription services starting as low as $350 per month. Organizations must adopt a defense-in-depth strategy that includes endpoint hardening, network monitoring, and proactive threat hunting to counter these emerging threats.

Prediction:

  • +1 The increased awareness of EDRSilencer will drive innovation in EDR telemetry resilience, potentially leading to EDR solutions that use multiple outbound channels or fallback mechanisms to ensure alert delivery even when primary channels are blocked.

  • -1 As EDRSilencer and similar tools become more widely adopted, we will see a surge in “silent breaches”—compromises that go undetected for extended periods because EDR telemetry is being actively suppressed, leading to more severe ransomware and data exfiltration incidents.

  • -1 The commoditization of EDR evasion tools will lower the barrier to entry for ransomware affiliates, resulting in an increase in attacks targeting organizations with insufficient visibility into WFP filter creation and network telemetry anomalies.

  • +1 The security community will respond with enhanced detection rules (Sigma, Splunk, etc.) and improved monitoring frameworks, forcing attackers to evolve their techniques and creating a cat-and-mouse dynamic that ultimately strengthens defensive capabilities.

  • -1 Organizations that fail to monitor for WFP filter creation, hosts file modifications, and NRPT rule additions will remain vulnerable to EDRSilencer and similar tools, potentially facing significant financial and reputational damage from undetected breaches.

▶️ Related Video (70% Match):

https://www.youtube.com/watch?v=55GaIolVVqI

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Zahidoverflow File94jpg – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky