A newly released open-source tool called SilentButDeadly is raising security concerns by demonstrating how attackers can effectively turn off Endpoint Detection and Response systems and antivirus software without terminating any processes.
Developed by security researcher Ryan Framiñán and released on November 2, 2025, the tool exploits the Windows Filtering Platform to sever cloud connectivity for security products, leaving systems vulnerable to attacks.
SilentButDeadly operates through a seven-phase execution sequence that begins by verifying administrator privileges on the target system’s administrator privileges.
The tool then scans for running EDR processes, such as SentinelOne, Windows Defender, and Windows Defender ATP, to create a comprehensive list of active security software.
Once identified, it leverages the Windows Filtering Platform to establish bidirectional network filters that block both outbound and inbound communications for each detected security process.
The impact of this network isolation is severe. Affected EDR solutions cannot receive critical cloud-based threat intelligence updates, transmit telemetry data to security operations centers, or accept remote management commands.
Additionally, the tool attempts to turn off EDR services by changing their startup types and preventing automatic restarts, effectively blinding security teams to endpoint threats.
This tool builds upon similar techniques pioneered by EDRSilencer, another red team tool that threat actors have been actively repurposing for malicious purposes since 2024.
However, SilentButDeadly introduces improved operational safety through dynamic, self-cleaning filters that automatically remove themselves when the program exits, reducing forensic artifacts.
The technique demonstrates a fundamental architectural vulnerability in modern EDR deployments, which rely heavily on network connectivity for core security functions.
Organizations using cloud-based threat detection face substantial risk when their security solutions lose connectivity, as local detection capabilities become severely limited.
Key Features
Network Isolation Capabilities: Uses the Windows Filtering Platform to create high-priority filters that block both IPv4 outbound and inbound traffic for identified EDR processes.
Automated EDR Discovery: Scans running processes and automatically identifies security software from major vendors, including SentinelOne, Windows Defender, and Defender ATP.
Service Disruption: Attempts to stop EDR services and change their startup configuration to disabled status, preventing automatic recovery.
Dynamic Filter Management: Creates non-persistent filters by default that automatically clean up upon program exit, minimizing detection footprint.
Command-Line Flexibility: Supports verbose logging mode and persistent filter options for extended operations.
Legitimate API Usage: Requires administrator privileges but uses only standard Windows APIs without kernel manipulation or driver loading.
Extensible Target List: Easily configurable to target additional security products through a simple array modification.
Security teams can detect this attack by monitoring Windows event logs for specific WFP filter creation events, including Event IDs 5441, 5157, and 5152.
Organizations should implement real-time WFP monitoring, maintain redundant communication channels for EDR telemetry, and utilize Windows protected process mechanisms to prevent unauthorized service manipulation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.