HackTool - EDRSilencer Execution - Filter Added

Severity: high
Author: Thodoris Polyzos (@SmoothDeploy)
Source: upstream

Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1562` Impair Defenses

Event coverage

Provider	Event ID	Title
Security-Auditing	5441	The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
Security-Auditing	5447	A Windows Filtering Platform filter has been changed.

Stages and Predicates

Stage 1: `selection`

FilterName|contains: 'Custom Outbound Filter'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`FilterName`	match	`Custom Outbound Filter`

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

HackTool - NoFilter Execution [sigma]