Cyber Synapse S.R.L. Logo

Cyber Synapse S.R.L.

A Linux/Unix services provider

SilentButDeadly

It is an open-source tool developed by researcher Ryan Framiñán, designed to interfere with endpoint-detection & response (EDR) / antivirus (AV) software by blocking their network communications, rather than attacking them by terminating them.


It uses the Windows internal framework known as the Windows Filtering Platform (WFP) to apply dynamic filters. These filters are applied to processes belonging to EDR/AV software, and block both outbound and inbound network traffic for those processes.

________________________________________

The tool works by:

* Checking it has administrator privileges (needed for WFP access).

* Enumerating running processes and matching them against a known list of EDR/AV components (for example, “MsMpEng.exe” for Microsoft Defender, “SentinelAgent.exe” for SentinelOne)

* Setting up a WFP session marked “dynamic” so that filters = non-persistent by default (reduce artifacts) unless configured otherwise.

* Creating filters at specific WFP layers: outbound connections (FWPM_LAYER_ALE_AUTH_CONNECT_V4) and inbound accepts (FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4), with high priority (weight 0x7FFF) and AppID conditions tied to the target process.

* Optionally stopping services for the EDR/AV, disabling startup types, etc (though the network blocking is the main feature) so the tool disrupts remote management/telemetry of the EDR/AV.

Modern EDR/AV solutions often rely heavily on cloud-based telemetry, updates, behavioral intelligence, remote commands, etc.

If we cut off their communications, even if the agent is still running locally, we can significantly degrade its effectiveness (no cloud updates, no telemetry upload, no remote management).

Because the tool doesn’t have to kill the process or perform kernel-level hooks/tampering, it may be stealthier and leave fewer persistent artifacts than more aggressive evasion techniques.

The use of “dynamic” WFP sessions means they get cleaned up (unless explicitly made persistent) so forensic traces can be minimal.

It underscores a structural weakness in relying solely on cloud connectivity for EDR effectiveness. If the endpoint is isolated (or forced offline), the protection degrades.

If an EDR/AV uses kernel-level drivers for its network/filtering or has protections that intercept/monitor WFP filters creation, this may be less effective. Some EDR vendors already monitor/filter WFP changes.

Even though it attempts stealth, creation of WFP filters can show up in Windows event logs (e.g., Event IDs 5441, 5157) and service modifications (disabling EDR services) can be monitored.

_________________________________________

Ensure EDR/AV solutions have local intelligence/caching capability (i.e., can operate even with limited cloud connectivity) so that network isolation doesn’t cripple them entirely.

Neutralize EDR/AV

#cybersecurity


SilentButDeadly - Neutralize EDR/AV



Well, that was exciting. See you in the next one!