A new open-source tool called SilentButDeadly has emerged, designed to disrupt Endpoint Detection and Response (EDR) and antivirus (AV) software by severing their network communications.
Developed by security researcher Ryan Framiñán, the tool leverages the Windows Filtering Platform (WFP) to create temporary, bidirectional blocks on EDR cloud connectivity, isolating threats without terminating processes.
His approach builds on the 2023 EDRSilencer technique, offering improved operational safety through dynamic, self-cleaning filters.
The tool addresses a key vulnerability in modern EDR architectures, which rely heavily on cloud-based telemetry for real-time analysis and updates. By preventing outbound data uploads and inbound command reception, SilentButDeadly effectively neuters remote management and threat intelligence sharing.
Unlike aggressive evasion methods that disrupt security processes, it focuses on stealthy network isolation, making it ideal for red-team exercises and malware analysis in controlled environments. Framiñán’s implementation ensures no persistent artifacts remain unless explicitly configured, reducing forensic footprints.
SilentButDeadly Execution
SilentButDeadly’s execution unfolds in structured phases, beginning with privilege verification using Windows APIs like CheckTokenMembership() to confirm administrator access. Users are prompted interactively to proceed, enhancing control.
The core discovery phase scans running processes via CreateToolhelp32Snapshot(), matching against a predefined list of EDR targets such as SentinelOne’s SentinelAgent.exe and Microsoft Defender’s MsMpEng.exe. Once identified, it queries full process paths and initializes WFP with a dynamic session flagged by FWPM_SESSION_FLAG_DYNAMIC for automatic cleanup.
Network blocking is implemented at ALE layers: outbound via FWPM_LAYER_ALE_AUTH_CONNECT_V4 and inbound via FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4, using high-priority weights (0x7FFF) and process-specific AppID conditions.
Filters convert executable paths to WFP blobs with FwpmGetAppIdFromFileName0(), ensuring precise targeting. Following isolation, the tool disrupts services by stopping them gracefully and setting startup types to SERVICE_DISABLED, preventing restarts. A summary displays affected processes, block counts, and WFP status before optional cleanup removes all rules.
Supported targets include SentinelOne, Windows Defender, and Defender ATP (MsSense.exe), with extensibility via a simple array. Command-line options like –verbose for logging and –persistent for enduring filters add flexibility, while robust error handling provides graceful fallbacks.
Security features emphasize legitimate APIs only, no kernel tweaks, though it requires admin rights. Operationally, it severs EDR updates, telemetry, and scans, but leaves local detection intact. Detection risks include WFP event logs (IDs 5441, 5157) and service modifications, detectable via netsh wfp commands or PowerShell queries.
Framiñán stresses ethical use for authorized testing, urging defenders to monitor WFP changes and implement resilient EDR designs with local caching.
Available on GitHub under loosehose/SilentButDeadly, the tool sparks discussions on EDR dependencies, potentially driving vendor improvements. As cyber threats evolve, such research underscores the need for balanced architectures less reliant on constant connectivity.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
