SilentButDeadly is a network communication blocker that impairs security measures on Windows systems without using kernel-level techniques. The technique focuses on exploiting the Windows Filtering Platform (WFP) to disrupt EDR and antivirus connectivity discreetly.
Mechanism and Methodology
This tool operates by verifying administrator privileges, then identifying and targeting EDR processes such as SentinelAgent.exe and MsMpEng.exe. It quickly establishes high-priority WFP sessions, installing bidirectional filters per targeted process. The result is a halt in outbound telemetry and inbound communications for cloud updates and threat intelligence.
- Administrator privileges are essential for the tool's execution.
- SilentButDeadly uses dynamic sessions, leaving fewer forensic traces.
- It attempts to disable associated EDR services to stop system restarts and updates.
Detection and Mitigation Strategies
For detecting SilentButDeadly, system administrators can monitor Windows event logs for specific WFP-related events, notably Event IDs 5441, 5157, and 5152. Effective mitigating methods involve real-time WFP monitoring and ensuring redundant communication channels for telemetry. Protection of EDR services through kernel-level drivers or Windows protected processes is crucial. While dynamic, the technique is rendered ineffective against EDR solutions protected by kernel-level network drivers.
Impact and Considerations
This new evasion method underscores vulnerabilities within Windows security mechanisms that are exploitable through legitimate features like WFP. Administrators must bolster their monitoring capabilities and enhance the protection strategies for EDR and antivirus tools to prevent such disruptions.
