Detection rules › Sigma
Windows Filtering Platform Blocked Connection From EDR Agent Binary
Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1562 Impair Defenses |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 5157 | The Windows Filtering Platform has blocked a connection. |
Stages and Predicates
Stage 1: selection
or:
Application|endswith: '\AmSvc.exe'
Application|endswith: '\CETASvc.exe'
Application|endswith: '\CNTAoSMgr.exe'
Application|endswith: '\CSFalconContainer.exe'
Application|endswith: '\CSFalconService.exe'
Application|endswith: '\CrAmTray.exe'
Application|endswith: '\CrsSvc.exe'
Application|endswith: '\CybereasonAV.exe'
Application|endswith: '\CylanceSvc.exe'
Application|endswith: '\CyveraService.exe'
Application|endswith: '\CyvrFsFlt.exe'
Application|endswith: '\EIConnector.exe'
Application|endswith: '\EndpointBasecamp.exe'
Application|endswith: '\ExecutionPreventionSvc.exe'
Application|endswith: '\LogProcessorService.exe'
Application|endswith: '\MsMpEng.exe'
Application|endswith: '\MsSense.exe'
Application|endswith: '\Ntrtscan.exe'
Application|endswith: '\PccNTMon.exe'
Application|endswith: '\QualysAgent.exe'
Application|endswith: '\RepMgr.exe'
Application|endswith: '\RepUtils.exe'
Application|endswith: '\RepUx.exe'
Application|endswith: '\RepWAV.exe'
Application|endswith: '\RepWSC.exe'
Application|endswith: '\SenseCncProxy.exe'
Application|endswith: '\SenseIR.exe'
Application|endswith: '\SenseNdr.exe'
Application|endswith: '\SenseSampleUploader.exe'
Application|endswith: '\SentinelAgent.exe'
Application|endswith: '\SentinelAgentWorker.exe'
Application|endswith: '\SentinelBrowserNativeHost.exe'
Application|endswith: '\SentinelHelperService.exe'
Application|endswith: '\SentinelServiceHost.exe'
Application|endswith: '\SentinelStaticEngine.exe'
Application|endswith: '\SentinelStaticEngineScanner.exe'
Application|endswith: '\TMBMSRV.exe'
Application|endswith: '\TaniumCX.exe'
Application|endswith: '\TaniumClient.exe'
Application|endswith: '\TaniumDetectEngine.exe'
Application|endswith: '\TmCCSF.exe'
Application|endswith: '\TmListen.exe'
Application|endswith: '\TmWSCSvc.exe'
Application|endswith: '\Traps.exe'
Application|endswith: '\WSCommunicator.exe'
Application|endswith: '\cb.exe'
Application|endswith: '\cyserver.exe'
Application|endswith: '\elastic-agent.exe'
Application|endswith: '\elastic-endpoint.exe'
Application|endswith: '\filebeat.exe'
Application|endswith: '\fortiedr.exe'
Application|endswith: '\hmpalert.exe'
Application|endswith: '\hurukai.exe'
Application|endswith: '\mcsagent.exe'
Application|endswith: '\mcsclient.exe'
Application|endswith: '\sedservice.exe'
Application|endswith: '\sfc.exe'
Application|endswith: '\sophos ui.exe'
Application|endswith: '\sophosLivequeryservice.exe'
Application|endswith: '\sophosfilescanner.exe'
Application|endswith: '\sophosfs.exe'
Application|endswith: '\sophoshealth.exe'
Application|endswith: '\sophosips.exe'
Application|endswith: '\sophosnetfilter.exe'
Application|endswith: '\sophosntpservice.exe'
Application|endswith: '\sophososquery.exe'
Application|endswith: '\sspservice.exe'
Application|endswith: '\winlogbeat.exe'
Application|endswith: '\xagt.exe'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Application | ends_with |
|