A newly released open-source tool, SilentButDeadly, is stirring up security concerns within the cybersecurity community. This innovative tool, developed by security researcher Ryan Framiñán and launched on November 2, 2025, showcases a method by which attackers can effectively disable Endpoint Detection and Response (EDR) systems and antivirus software without terminating any processes. By exploiting the Windows Filtering Platform, SilentButDeadly can sever cloud connectivity for security products, leaving systems alarmingly vulnerable to potential attacks.
SilentButDeadly operates through a meticulous seven-phase execution sequence, commencing with the verification of administrator privileges on the target system. Following this initial step, the tool scans for active EDR processes, including well-known solutions like SentinelOne, Windows Defender, and Windows Defender ATP, compiling a comprehensive list of the security software currently in operation.
Upon identifying these processes, SilentButDeadly employs the Windows Filtering Platform to establish bidirectional network filters that effectively block both outbound and inbound communications for each detected security application. The ramifications of this network isolation are profound: affected EDR solutions are rendered incapable of receiving critical cloud-based threat intelligence updates, transmitting telemetry data to security operations centers, or accepting remote management commands.
In addition to its network isolation capabilities, the tool attempts to disable EDR services by altering their startup types and preventing automatic restarts. This tactic effectively blinds security teams to endpoint threats, creating a significant gap in their defensive posture.
SilentButDeadly builds on techniques pioneered by EDRSilencer, another red team tool that has been repurposed by threat actors since 2024. However, it distinguishes itself by introducing enhanced operational safety features, including dynamic, self-cleaning filters that automatically remove themselves upon program exit, thereby reducing the potential for forensic artifacts.
This development highlights a fundamental architectural vulnerability in modern EDR deployments, which are heavily reliant on network connectivity for essential security functions. Organizations utilizing cloud-based threat detection face considerable risks when their security solutions lose connectivity, as local detection capabilities become severely limited.
Key Features
- Network Isolation Capabilities: Utilizes the Windows Filtering Platform to create high-priority filters that block both IPv4 outbound and inbound traffic for identified EDR processes.
- Automated EDR Discovery: Scans running processes and automatically identifies security software from major vendors, including SentinelOne, Windows Defender, and Defender ATP.
- Service Disruption: Attempts to stop EDR services and change their startup configuration to disabled status, preventing automatic recovery.
- Dynamic Filter Management: Creates non-persistent filters by default that automatically clean up upon program exit, minimizing detection footprint.
- Command-Line Flexibility: Supports verbose logging mode and persistent filter options for extended operations.
- Legitimate API Usage: Requires administrator privileges but utilizes only standard Windows APIs without kernel manipulation or driver loading.
- Extensible Target List: Easily configurable to target additional security products through a simple array modification.
To counteract this emerging threat, security teams are advised to monitor Windows event logs for specific WFP filter creation events, including Event IDs 5441, 5157, and 5152. Organizations should also implement real-time WFP monitoring, maintain redundant communication channels for EDR telemetry, and utilize Windows protected process mechanisms to prevent unauthorized service manipulation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.
