A Network Communication Blocker That Neutralizes EDR and AV Tools

A newly documented endpoint detection and response (EDR) evasion technique has surfaced, raising critical concerns about the architectural vulnerabilities inherent in modern security software.

SilentButDeadly, a sophisticated network communication blocker, exploits Windows Filtering Platform (WFP) to neutralize EDR and antivirus software by severing their cloud connectivity without requiring process termination or kernel-level manipulation.

The tool represents a significant evolution in EDR bypass techniques, building upon foundational research from earlier WFP-based evasion methods.

Unlike previous approaches that relied on persistent filtering mechanisms, SilentButDeadly employs dynamic WFP sessions that automatically clean up upon program exit, reducing forensic artifacts and operational risk.

This technical refinement addresses several limitations of earlier tools while maintaining comprehensive network isolation capabilities.

How the Attack Works

SilentButDeadly operates through a seven-phase execution sequence.

Initially, it verifies administrator privileges using Windows API calls, then performs comprehensive EDR discovery by enumerating running processes and matching them against a predefined target list including SentinelOne, Windows Defender, and Windows Defender ATP.

The tool identifies processes such as SentinelAgent.exe and MsMpEng.exe, establishing which security solutions are actively protecting the system.

Following discovery, the tool initializes the Windows Filtering Platform by establishing a dynamic session with high-priority filtering rules.

Critically, it creates bidirectional network filters for each identified EDR process, blocking both outbound telemetry transmission and inbound command-and-control communications.

This dual-layer approach prevents EDR solutions from receiving cloud-based threat intelligence updates, uploading telemetry data, receiving remote management commands, or conducting real-time threat analysis dependent on cloud connectivity.

The network isolation effects are severe. Affected EDR solutions cannot receive critical cloud updates, transmit telemetry to security operations centers, enable remote management capabilities, or maintain access to real-time threat intelligence feeds.

Simultaneously, the tool attempts to disable EDR services, preventing automatic restarts, disabling scheduled scans, halting background monitoring, and stopping update mechanisms.

These combined effects effectively blind security teams to endpoint-level threats while preventing automated response mechanisms from functioning.

The technique demonstrates a fundamental architectural vulnerability in modern EDR deployments, their critical reliance on network connectivity for core security functions.

Organizations that rely heavily on cloud-based threat detection and behavioral analysis face substantial risk when EDR solutions lose connectivity, as local detection capabilities are severely limited.

Security teams can detect WFP filter creation by monitoring Windows event logs, specifically Event IDs 5441, 5157, and 5152.

However, the dynamic nature of the attack minimizes the creation of persistent forensic artifacts compared to earlier persistent filtering methods.

Organizations should implement real-time WFP monitoring, maintain redundant communication channels for EDR telemetry, implement local event caching with delayed transmission, and utilize Windows protected process mechanisms to prevent unauthorized service manipulation.

Security researchers emphasize that this technique requires administrator-level privileges and remains ineffective against EDR solutions protected by kernel-level network drivers.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates