SilentButDeadly: The New Tool Disrupting EDR and AV Communications
A groundbreaking open-source tool named SilentButDeadly has been introduced, aiming to disrupt the network communications of Endpoint Detection and Response (EDR) and antivirus (AV) software. Developed by security researcher Ryan Framiñán, this tool utilizes the Windows Filtering Platform (WFP) to create temporary, bidirectional blocks on EDR cloud connectivity, effectively isolating threats without terminating processes.
Understanding SilentButDeadly’s Mechanism
SilentButDeadly operates by targeting a critical vulnerability in modern EDR architectures: their reliance on cloud-based telemetry for real-time analysis and updates. By obstructing outbound data uploads and inbound command receptions, the tool effectively neutralizes remote management and threat intelligence sharing capabilities of EDR systems. Unlike aggressive evasion methods that disrupt security processes, SilentButDeadly focuses on stealthy network isolation, making it particularly useful for red-team exercises and malware analysis in controlled environments.
Execution Process of SilentButDeadly
The execution of SilentButDeadly unfolds in several structured phases:
1. Privilege Verification: The tool begins by verifying administrative privileges using Windows APIs like `CheckTokenMembership()`. Users are interactively prompted to proceed, enhancing control over the operation.
2. Process Discovery: It scans running processes via `CreateToolhelp32Snapshot()`, matching against a predefined list of EDR targets such as SentinelOne’s `SentinelAgent.exe` and Microsoft Defender’s `MsMpEng.exe`. Once identified, it queries full process paths and initializes WFP with a dynamic session flagged by `FWPM_SESSION_FLAG_DYNAMIC` for automatic cleanup.
3. Network Blocking Implementation: Network blocking is implemented at Application Layer Enforcement (ALE) layers: outbound via `FWPM_LAYER_ALE_AUTH_CONNECT_V4` and inbound via `FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4`, using high-priority weights (`0x7FFF`) and process-specific AppID conditions. Filters convert executable paths to WFP blobs with `FwpmGetAppIdFromFileName0()`, ensuring precise targeting.
4. Service Disruption: Following isolation, the tool disrupts services by stopping them gracefully and setting startup types to `SERVICE_DISABLED`, preventing restarts. A summary displays affected processes, block counts, and WFP status before optional cleanup removes all rules.
Supported Targets and Features
SilentButDeadly supports targets including SentinelOne, Windows Defender, and Defender ATP (`MsSense.exe`), with extensibility via a simple array. Command-line options like `–verbose` for logging and `–persistent` for enduring filters add flexibility, while robust error handling provides graceful fallbacks.
Security and Detection Considerations
The tool emphasizes the use of legitimate APIs only, with no kernel tweaks, though it requires administrative rights. Operationally, it severs EDR updates, telemetry, and scans but leaves local detection intact. Detection risks include WFP event logs (IDs 5441, 5157) and service modifications, detectable via `netsh wfp` commands or PowerShell queries.
Ethical Use and Availability
Framiñán stresses ethical use for authorized testing, urging defenders to monitor WFP changes and implement resilient EDR designs with local caching. SilentButDeadly is available on GitHub under the repository `loosehose/SilentButDeadly`, sparking discussions on EDR dependencies and potentially driving vendor improvements. As cyber threats evolve, such research underscores the need for balanced architectures less reliant on constant connectivity.
