search

netero1010 / EDRSilencer

A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.
MIT License
1.46k stars 185 forks source link

Empty Provider #6

Closed k4nfr3 closed 10 months ago

k4nfr3 commented 10 months ago

Hi,

Is this meant by you that it doesn't add or link to an existing WFP Provider ? The rules do stand out due to this (for OPSEC perspective)

Regards K4nfr3

pbssubhash commented 10 months ago

The following code: https://github.com/netero1010/EDRSilencer/blob/main/EDRSilencer.c#L62 is used to manage the filter name with which rules are created. You can modify this with your custom (or existing) filter name.

k4nfr3 commented 10 months ago

Hi, that's the filter rule name, not the provider name ;-)

wfp

pbssubhash commented 10 months ago

My bad. misread as filter.

I think it's possible: by doing something like filter.providerKey = (GUID*)&WFPSAMPLER_PROVIDER; here: https://github.com/netero1010/EDRSilencer/blob/main/EDRSilencer.c#L147-L157

While I play around, I'd wait for @netero1010 to check the references above and see if it's an easy fix for him.

netero1010 commented 10 months ago

Hi. I believe adding provider to the custom rule will help in OPSEC perspective. I will check if it is better to get existing provider or creating a new one. I will include this to my to-do list in the next update. Thanks @k4nfr3 and @pbssubhash.

netero1010 commented 10 months ago

Updated in version 1.2. A new WFP provider will be created for the custom WFP filter.