SilentButDeadly is a network communication blocker specifically designed to neutralize EDR/AV software by preventing their cloud connectivity using Windows Filtering Platform (WFP). This version focuses solely on network isolation without process termination.
Blog: https://ryan.framinan.net/blog/silentbutdeadly
[*] Checking administrative privileges...
[+] Running with Administrator privileges
[#] Press <Enter> to begin EDR enumeration...
- Verifies administrator privileges using
CheckTokenMembership() - Interactive prompts allow controlled execution
[*] Scanning for target security processes...
[+] Found SentinelAgent.exe (SentinelOne) - PID: 1234
[+] Found MsMpEng.exe (Windows Defender) - PID: 5678
[*] Total target processes found: 2
[#] Press <Enter> to block network communications...
- Creates process snapshot using
CreateToolhelp32Snapshot() - Enumerates all running processes
- Matches against predefined EDR target list
- Opens process handles with
PROCESS_QUERY_INFORMATIONaccess
[*] Initializing Windows Filtering Platform...
[>] Initializing COM library
[>] Generating WFP provider GUID
[>] Opening WFP engine handle
[+] Windows Filtering Platform initialized successfully
- Initializes COM for GUID generation
- Creates dynamic WFP session (non-persistent by default)
- Establishes provider and sublayer with high priority (0x7FFF)
[*] Configuring network filters to block EDR communications...
[>] Processing filters for SentinelAgent.exe (PID: 1234)
[>] Process path: C:\Program Files\SentinelOne\Sentinel Agent\SentinelAgent.exe
[>] Outbound filter added successfully
[>] Inbound filter added successfully
[+] Network communication blocked for SentinelAgent.exe
[+] Communication blocking established for 2 processes
For each EDR process:
- Retrieves full process image path using
QueryFullProcessImageNameW() - Converts path to WFP AppID blob using
FwpmGetAppIdFromFileName0() - Creates two filters per process:
- Outbound Filter:
FWPM_LAYER_ALE_AUTH_CONNECT_V4(blocks outgoing connections) - Inbound Filter:
FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4(blocks incoming connections)
- Outbound Filter:
[*] Attempting to disable EDR services...
[>] Processing service: SentinelAgent
[>] Current service state: Running
[>] Attempting to stop service...
[+] Stop signal sent to SentinelAgent
[+] Service stopped successfully
[+] Service SentinelAgent set to disabled
[+] Disabled 2 EDR services
- Opens Service Control Manager
- For each EDR service:
- Attempts graceful service stop
- Changes startup type to
SERVICE_DISABLED - Prevents automatic restart
=================================================================
OPERATION SUMMARY
=================================================================
[SentinelOne] SentinelAgent.exe - PID: 1234
[Windows Defender] MsMpEng.exe - PID: 5678
Total Processes Found: 2
Network Blocks Applied: 2
WFP Status: Active
=================================================================
[#] Press <Enter> to remove filters and exit...
[*] Removing network blocking rules...
[+] Network blocking rules removed
[*] Operation complete
- Removes WFP provider (cascades to all filters)
- Closes WFP engine handle
- Releases COM resources
- Closes all process handles
- Layer: Application Layer Enforcement (ALE)
- Weight: 0x7FFF (high priority)
- Action:
FWP_ACTION_BLOCK - Condition:
FWPM_CONDITION_ALE_APP_ID(process-specific) - Flags:
FWPM_FILTER_FLAG_CLEAR_ACTION_RIGHT
- SentinelOne (all components)
- Windows Defender
- Windows Defender ATP (MsSense.exe)
- Easily extensible via
g_EDRTargetsarray
-v, --verbose: Enable detailed operation logging-p, --persistent: Keep filters active after program exit-h, --help: Display usage information
- Comprehensive error checking at each stage
- Graceful fallback on partial failures
- Detailed error codes for troubleshooting
- Requires Administrator privileges
- Non-persistent filters by default (cleared on exit)
- No driver loading or kernel manipulation
- Uses legitimate Windows APIs only
- EDR cannot receive cloud updates
- Telemetry upload blocked
- Remote management disabled
- Real-time threat intelligence severed
- Prevents automatic restart
- Disables scheduled scans
- Stops background monitoring
- Halts update mechanisms
- WFP filter creation events
- Service stop/disable events
- Process handle access patterns
- No persistent artifacts (unless
-pflag used)
- Pre-engagement Testing: Verify EDR bypass before operation
- Controlled Environment: Isolate EDR for malware analysis
- Red Team Operations: Initial foothold establishment
- Security Research: EDR behavior analysis
- IPv4 only (IPv6 requires additional layers)
- Requires active EDR processes (not effective if stopped)
- Some EDRs may have kernel-level network drivers
- Windows Firewall must be enabled for WFP to function