A newly identified endpoint detection and response (EDR) evasion technique has emerged, highlighting significant architectural vulnerabilities within contemporary security software. This technique, known as SilentButDeadly, utilizes a sophisticated network communication blocker that takes advantage of the Windows Filtering Platform (WFP) to effectively neutralize EDR and antivirus solutions. It does so by disrupting their cloud connectivity without the need for process termination or kernel-level manipulation.
SilentButDeadly marks a notable advancement in EDR bypass strategies, building on foundational research from previous WFP-based evasion methods. Unlike earlier techniques that depended on persistent filtering mechanisms, this tool employs dynamic WFP sessions that automatically clean up upon program exit. This innovation minimizes forensic artifacts and operational risks while maintaining robust network isolation capabilities.
How the Attack Works
The operation of SilentButDeadly unfolds through a meticulously structured seven-phase execution sequence. Initially, it verifies administrator privileges via Windows API calls, followed by an extensive EDR discovery process that enumerates running processes and cross-references them against a predefined target list, which includes notable solutions such as SentinelOne, Windows Defender, and Windows Defender ATP.
During this discovery phase, the tool identifies critical processes like SentinelAgent.exe and MsMpEng.exe, determining which security solutions are actively safeguarding the system. Once this identification is complete, SilentButDeadly initializes the Windows Filtering Platform by establishing a dynamic session with high-priority filtering rules. This crucial step involves creating bidirectional network filters for each identified EDR process, effectively blocking both outbound telemetry transmission and inbound command-and-control communications.
This dual-layer filtering approach has profound implications, as it prevents EDR solutions from receiving essential cloud-based threat intelligence updates, uploading telemetry data, executing remote management commands, or conducting real-time threat analysis that relies on cloud connectivity. The ramifications of this network isolation are severe; affected EDR solutions become incapable of receiving critical updates, transmitting telemetry to security operations centers, enabling remote management capabilities, or accessing real-time threat intelligence feeds.
In addition to these network disruptions, SilentButDeadly attempts to disable EDR services, thwarting automatic restarts, disabling scheduled scans, halting background monitoring, and stopping update mechanisms. The cumulative effect of these actions effectively blinds security teams to endpoint-level threats while obstructing automated response mechanisms from functioning.
This technique underscores a fundamental architectural vulnerability in modern EDR deployments, specifically their critical dependence on network connectivity for essential security functions. Organizations that heavily rely on cloud-based threat detection and behavioral analysis face considerable risks when EDR solutions lose connectivity, as local detection capabilities are severely constrained.
To counteract this threat, security teams can monitor Windows event logs for signs of WFP filter creation, specifically looking for Event IDs 5441, 5157, and 5152. However, the dynamic nature of SilentButDeadly minimizes the creation of persistent forensic artifacts compared to earlier persistent filtering methods. Therefore, organizations are encouraged to implement real-time WFP monitoring, maintain redundant communication channels for EDR telemetry, utilize local event caching with delayed transmission, and leverage Windows protected process mechanisms to prevent unauthorized service manipulation.
It is important to note that this technique necessitates administrator-level privileges and remains ineffective against EDR solutions that are safeguarded by kernel-level network drivers.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
