SilentButDeadly: The Network Communication Blocker Neutralizing EDR/AV

In the ever-escalating cat-and-mouse game between red teamers and blue team defenders, new tools and techniques constantly emerge to test the limits of security solutions. One such tool that has garnered significant attention is SilentButDeadly, an open-source utility designed to effectively neutralize Endpoint Detection and Response (EDR) and Antivirus (AV) software by severing their critical network lifelines. This article delves into the technical mechanisms of SilentButDeadly, its impact, and crucial detection strategies for defenders.

The EDR/AV Achilles' Heel: Cloud Connectivity

Modern EDR and Next-Generation AV (NGAV) solutions derive their power from real-time cloud connectivity. This connection facilitates:

• Telemetry Upload: Continuous streaming of endpoint activity data (process creation, file modifications, network connections, registry changes) to a centralized cloud analysis engine.
• Behavioral Analysis: Leveraging vast computational power and machine learning in the cloud to detect complex attack patterns that might be missed locally.
• Threat Intelligence: Instant updates of indicators of compromise (IOCs) and threat intelligence from global sources.
• Remote Response: Security analysts issue commands from a cloud console to isolate hosts, terminate processes, quarantine files, or retrieve forensic artifacts.

SilentButDeadly exploits this fundamental reliance. By preventing an EDR sensor from communicating with its cloud backend, the tool effectively renders the EDR "blind," unable to report threats or receive crucial remote commands.

How SilentButDeadly Operates: Leveraging the Windows Filtering Platform (WFP)

Developed by security researcher Ryan Framiñán, SilentButDeadly's genius lies in its elegant abuse of a legitimate Windows kernel feature: the Windows Filtering Platform (WFP).

Conceptual diagram illustrating how SilentButDeadly (via WFP) intercepts and blocks EDR/AV network traffic.

1. The Windows Filtering Platform (WFP)

WFP is a set of API services that allows developers to create network filtering applications. It operates at a low level in the Windows networking stack, enabling the inspection and modification of network traffic *before* it reaches higher-level applications. This makes it a powerful tool for firewalls, VPNs, and, as SilentButDeadly demonstrates, for malicious network disruption.

2. Dynamic Filter Creation

SilentButDeadly operates by dynamically creating high-priority, non-persistent WFP filters. Here's a step-by-step breakdown:

• Process Identification: The tool identifies the process IDs (PIDs) and executable paths of common EDR/AV solutions running on the system (e.g., MsMpEng.exe for Microsoft Defender, agent processes for SentinelOne, CrowdStrike, etc.).
• Session Creation: It initiates a dynamic WFP session. Dynamic sessions are key because the filters created within them are automatically removed when the session ends or the system reboots, reducing forensic footprint.
• Filter Layer Selection: SilentButDeadly targets specific WFP layers responsible for connection authorization:
  • FWPM_LAYER_ALE_AUTH_CONNECT_V4: For outgoing TCP/IP connections.
  • FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4: For incoming TCP/IP connections.
• Block Action Definition: For each targeted EDR process and for both incoming and outgoing traffic layers, the tool defines an action to FWP_ACTION_BLOCK.
• High Priority Weight: Crucially, the filters are assigned a very high weight (e.g., 0x7FFF or `(MAX_WEIGHT & ~1)`) ensuring they take precedence over almost any other filter, including those set by legitimate security software or Windows Firewall.
• Context & Conditions: The filters are precisely configured with conditions (FWPM_CONDITION_ALE_APP_ID) to only apply to the identified EDR/AV process executables.

3. Operational Stealth

SilentButDeadly's key advantage over older "EDR killer" tools is its stealth. Instead of terminating or suspending EDR processes (which often triggers immediate alerts or system instability), it allows them to continue running. The EDR agent simply cannot communicate with its cloud backend, leading to a "silent failure" state where it continues to appear operational locally but is effectively neutralized from a threat intelligence and remote response perspective.

The tool also has options to disable and stop EDR services, but its core innovation lies in the WFP blocking, which can be done without service manipulation.

Impact on Red Team Operations

For red teamers, SilentButDeadly offers a powerful capability:

• Bypass Cloud Telemetry: Execute post-exploitation activities without the EDR reporting the malicious behavior to the security operations center (SOC).
• Neutralize Remote Response: Prevent blue teamers from isolating the compromised host or terminating malicious processes via their EDR console.
• Improved Operational Safety: Reduces the risk of the EDR crashing or visibly alerting, allowing for a more stealthy and prolonged presence.
• Facilitates Local Execution: Allows the use of tools and techniques that would otherwise be immediately flagged by a fully functional EDR.

Blue Team Detection and Mitigation Strategies

Defending against SilentButDeadly requires focusing on the underlying mechanisms it exploits:

1. WFP Event Log Monitoring: This is paramount. Windows Event ID 5441 ("A Windows Filtering Platform filter has been added") and 5157 ("The Windows Filtering Platform blocked a connection") are critical indicators. Defenders should look for high-priority block filters being added specifically for EDR/AV process IDs. Unusual filter additions, especially those with high weights, should trigger alerts.
2. EDR/AV Telemetry Monitoring: Implement continuous monitoring for a sudden cessation or significant reduction in telemetry from EDR agents. If an EDR agent suddenly stops reporting, it's a strong indicator of compromise.
3. Network Flow Monitoring: Monitor network traffic from endpoints for any unusual drops in expected EDR communication (e.g., to cloud IPs, specific ports).
4. EDR Health Checks: Implement proactive health checks that verify the EDR agent's ability to communicate with its cloud backend, rather than just checking if the service is running.
5. Service Configuration Monitoring: If SilentButDeadly (or similar tools) attempt to stop or disable EDR services, this will generate specific Event IDs (e.g., 7036, 7040) and leave traces in the Service Control Manager logs and registry.
6. Kernel Callback Monitoring: Advanced EDRs might implement kernel callbacks to detect WFP filter manipulations by unauthorized processes.
7. "Offline" EDR Capabilities: Security vendors must develop more robust EDR architectures that can perform critical behavioral analysis and threat prevention locally, even when disconnected from the cloud, to maintain some level of defense.

Conclusion

SilentButDeadly is a testament to the ongoing innovation in offensive security and serves as a powerful reminder that even the most advanced security solutions have potential points of failure. By targeting the fundamental reliance of EDR/AV on cloud connectivity via the Windows Filtering Platform, it provides adversaries with a stealthy method to operate undetected. For blue teams, understanding tools like SilentButDeadly is crucial. It underscores the importance of multi-layered defenses, vigilant monitoring of low-level system events, and the need for EDR solutions that are resilient to network disruption, ensuring that our guardians remain, truly, un-neutralized.