WFP Filter Added via Registry

Original Source: [Sigma source]
Title: WFP Filter Added via Registry
Status: experimental
Description:Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
References:
  -https://github.com/netero1010/EDRSilencer/blob/0e73a7037ec65c52894d8208e6f605a7da0a34a6/EDRSilencer.c
   -https://www.huntress.com/blog/silencing-the-edr-silencers
   -https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html
 Author: Frack113
Date: 2025-10-23
modified:None
Tags:
  • -'attack.defense-evasion'
  • -'attack.execution'
  • -'attack.t1562'
  • -'attack.t1569.002'
Logsource:
  • category: registry_set
  • product: windows
Detection:
  selection:
    TargetObject|contains: '\BFE\Parameters\Policy\Persistent\Filter\'
  filter_main_svchost:
    Image:
      -'C:\Windows\System32\svchost.exe'
      -'C:\Windows\SysWOW64\svchost.exe'

  condition:selection and not 1 of filter_main_*
Falsepositives:
  -Unknown
Level: medium

© 2024 DetectionCode Website. All Rights Reserved.