The relentless evolution of cyber threats has forced security professionals to continually adapt, often relying on increasingly complex Endpoint Detection and Response (EDR) solutions. However, this reliance introduces vulnerabilities, and those seeking to test or analyze these defenses must operate with a careful understanding of their operational mechanics. A recent development, dubbed “SilentButDeadly,” offers a sophisticated approach to neutralizing EDR functionality without resorting to broad, disruptive tactics. Developed by security researcher Ryan Framiñán, this tool isn’t about brute-force evasion; it’s a surgical intervention targeting network communication flows.
At its core, SilentButDeadly leverages the Windows Filtering Platform (WFP) – a surprisingly powerful mechanism for granular network traffic control – to create dynamic, bidirectional blocks. The brilliance of Framiñán’s design isn’t the concept itself, but the careful execution and operational considerations. The tool’s design reflects a clear understanding of how modern EDR architectures – particularly those heavily reliant on cloud-based telemetry – function. Instead of disabling processes outright, SilentButDeadly prevents the outbound data uploads necessary for threat intelligence sharing and inhibits inbound command reception. This effectively neuters the remote management capabilities so vital to EDR deployments.
The execution sequence is structured and deliberate. First, the tool validates administrator privileges using the CheckTokenMembership() Windows API function, ensuring it operates within the required scope. User interaction is incorporated through an interactive prompt, reinforcing control. The core discovery phase initiates a snapshot of running processes via CreateToolhelp32Snapshot(). This is then used to scan for known EDR targets, including SentinelOne’s SentinelAgent.exe and Microsoft Defender’s MsMpEng.exe. Critically, the tool initializes a WFP session using the FWPM_SESSION_FLAG_DYNAMIC flag, enabling automatic cleanup and preventing persistent artifacts.
Network blocking is implemented at Application Layer Event (ALE) layers, specifically utilizing FWPM_LAYER_ALE_AUTH_CONNECT_V4 for outbound connections and FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 for inbound connections. Process-specific AppIDs are utilized with high-priority weights (0x7FFF) to ensure blocking takes precedence. The tool relies on FwpmGetAppIdFromFileName0() to convert executable paths into WFP blobs, enabling precise targeting. Following isolation, the tool facilitates graceful service termination by stopping services and setting startup types to SERVICE_DISABLED, preventing automatic restarts. A summary detailing affected processes, block counts, and WFP status is generated, and an optional cleanup removes all rules.
Beyond the core blocking mechanism, SilentButDeadly incorporates key operational considerations. The tool strictly adheres to legitimate Windows APIs, avoiding kernel-level modifications – a practice that would almost certainly trigger alerts. The design deliberately avoids persistent artifacts, relying on WFP’s dynamic cleanup functionality. However, the tool’s operation does generate detectable events. WFP event logs (IDs 5441, 5157) are a primary source of evidence, and modifications to services, monitored using netsh wfp commands or PowerShell queries, represent another.
Framiñán emphasizes responsible use – specifically, limited to authorized testing environments. He advocates for vigilant monitoring of WFP changes and for the implementation of resilient EDR designs that incorporate local caching as a defensive layer. The tool’s availability on GitHub (under the loosehose/SilentButDeadly repository) is already generating discussion around the inherent dependencies in EDR architectures, and it’s likely to drive vendors to re-evaluate their reliance on constant connectivity.
This development underscores a fundamental point: cybersecurity isn’t simply about deploying the latest technologies; it’s about a deep understanding of how those technologies function – and how they can be strategically leveraged for both defense and, in this case, targeted disruption.