Network Communication Blocker Tool ‘SilentButDeadly’ Neutralizing EDR/ AV
“Latest open-source tool targeting network communications and blocking EDR & AV.”
In order to interfere with Endpoint Detection and Response (EDR) and antivirus (AV) software by cutting off their network interactions, a new open-source tool named SilentButDeadly has surfaced.
The technique, which was created by security researcher Ryan Framiñán, isolates threats without stopping processes by using the Windows Filtering Platform (WFP) to temporarily limit EDR cloud connectivity in both directions.This image shows a compact, rugged device branded “SilentButDeadly” sitting on a surface in a server or data-center setting. A digital interface on the device displays a shield graphic and the text “EDR/AV Neutralized.”
By using dynamic, self-cleaning filters, his method improves operational safety and expands upon the 2023 EDRSilencer methodology.
A major weakness in contemporary EDR designs, which mainly rely on cloud-based telemetry for real-time analysis and updates, is addressed by the program. SilentButDeadly successfully neutralizes remote management and threat intelligence sharing by blocking outgoing data uploads and inbound command reception.
It is perfect for red-team exercises and malware investigation in controlled environments since it concentrates on covert network isolation, in contrast to aggressive evasion techniques that interfere with security procedures.
The implementation of Framiñán reduces forensic footprints by ensuring that no persistent artifacts remain unless specifically set.
Executing ‘SilentButDeadly’
The execution of SilentButDeadly takes place in organized stages, starting with privilege verification to verify administrator access using Windows APIs like CheckTokenMembership(). Control is improved by interactively prompting users to continue.
SentinelOne’s SentinelAgent.exe and Microsoft Defender’s MsMpEng.exe are two examples of the predetermined list of EDR targets that are scanned by the core discovery phase using CreateToolhelp32Snapshot().
After it has been located, it queries complete process paths and sets up WFP with a dynamic session that has been marked for automatic cleanup by FWPM_SESSION_FLAG_DYNAMIC.
Using high-priority weights (0x7FFF) and process-specific AppID criteria, network blocking is performed at ALE layers: outbound via FWPM_LAYER_ALE_AUTH_CONNECT_V4 and inbound via FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4.
To ensure accurate targeting, filters use FwpmGetAppIdFromFileName0() to convert executable paths to WFP blobs. After isolation, the program prevents restarts by gracefully terminating services and setting starting types to SERVICE_DISABLED.
Before the optional cleanup eliminates all rules, a summary shows impacted processes, block counts, and WFP status.
SentinelOne, Windows Defender, and Defender ATP (MsSense.exe) are among the supported targets that can be expanded using a straightforward array. Strong error handling offers elegant fallbacks, while command-line options like –verbose for logging and –persistent for enduring filters enhance versatility.
Although it requires admin permissions, security features highlight only valid APIs and do not modify the kernel. Operationally, it separates scans, telemetry, and EDR updates while maintaining local detection. WFP event logs (IDs 5441, 5157) and service changes are examples of detection hazards that can be found using PowerShell queries or netsh wfp commands.
Framiñán encourages defenders to keep an eye on WFP modifications and use resilient EDR architectures with local caching, emphasizing ethical use for allowed testing.
Accessible via loosehose/SilentBut on GitHub, Deadly, the tool may lead to vendor advancements by igniting conversations around EDR dependence. Such research highlights the need for balanced architectures that are less dependent on continuous communication as cyber threats change.
About The Author
Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”
Read More:
Weaponized Zip Files and Several Scripts Used to Distribute Formbook Malware
About Author
English