Detection rules › Sigma
WFP Filter Added via Registry
Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1569.002 System Services: Service Execution |
| Defense Evasion | T1562 Impair Defenses |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 13 | RegistryEvent (Value Set) |
Stages and Predicates
Stage 1: selection
TargetObject|contains: '\BFE\Parameters\Policy\Persistent\Filter\'
Stage 2: not 1 of filter_main_svchost
Image: ['C:\Windows\SysWOW64\svchost.exe', 'C:\Windows\System32\svchost.exe']
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | eq |
|
TargetObject | match |
|