Introduction
Endpoint Detection and Response (EDR) solutions have become the backbone of modern cybersecurity, relying heavily on cloud-based telemetry for real-time threat detection and management. But what happens when that connectivity is severed? Enter SilentButDeadly, a new open-source tool designed to temporarily block EDR and antivirus (AV) network communications without killing processes—raising critical questions about architectural resilience.
Developed by security researcher Ryan Framiñán, SilentButDeadly builds on the 2023 EDRSilencer technique, introducing safer, dynamic filtering mechanisms that leave minimal forensic traces. This tool is not malware—it’s a research and red-team utility that highlights a fundamental dependency in EDR systems.
What Makes SilentButDeadly Unique?
Unlike aggressive evasion tactics that terminate security processes, SilentButDeadly focuses on stealthy network isolation. Its goal is to:
- Block outbound telemetry uploads and inbound command reception.
- Maintain local detection capabilities while disabling remote management.
- Leave no persistent artifacts unless explicitly configured.
This approach makes it ideal for authorized penetration testing, malware analysis, and controlled red-team exercises.
How SilentButDeadly Works
SilentButDeadly operates in structured phases, leveraging legitimate Windows APIs and the Windows Filtering Platform (WFP) for dynamic, self-cleaning filters.
Execution Flow
- Privilege Verification
UsesCheckTokenMembership()to confirm administrator rights before proceeding. - Process Discovery
Scans active processes viaCreateToolhelp32Snapshot()and matches against known EDR targets like:- SentinelOne (
SentinelAgent.exe) - Microsoft Defender (
MsMpEng.exe) - Defender ATP (
MsSense.exe)
- SentinelOne (
- Dynamic WFP Session
Initializes withFWPM_SESSION_FLAG_DYNAMICfor automatic cleanup. - Network Blocking
Implements bidirectional blocks at ALE layers:- Outbound:
FWPM_LAYER_ALE_AUTH_CONNECT_V4 - Inbound:
FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
Filters use high-priority weights (0x7FFF) and process-specific AppID conditions.
- Outbound:
- Service Disruption
Stops services gracefully and sets startup type toSERVICE_DISABLEDto prevent restarts. - Cleanup & Reporting
Displays affected processes, block counts, and WFP status before optional cleanup removes all rules.
Key Features
- Supported Targets: SentinelOne, Windows Defender, Defender ATP (extensible via array).
- Command-Line Options:
--verbosefor detailed logging--persistentfor enduring filters
- Security Design:
- Uses only legitimate APIs
- No kernel-level modifications
- Requires admin rights
Detection & Defensive Measures
While SilentButDeadly is stealthy, it’s not invisible. Detection indicators include:
- WFP Event Logs: IDs 5441, 5157
- Service Modifications: Trackable via
netsh wfpor PowerShell queries
Framiñán emphasizes ethical use and urges defenders to:
- Monitor WFP changes
- Implement resilient EDR designs with local caching to reduce cloud dependency
Why This Matters
SilentButDeadly underscores a critical vulnerability: EDR reliance on constant connectivity. As cyber threats evolve, security vendors must design architectures that remain effective even when cloud telemetry is disrupted.
The tool is available on GitHub under loosehose/SilentButDeadly, sparking discussions on improving EDR resilience and operational safety.
Key Takeaways
- SilentButDeadly uses WFP to block EDR cloud communication without killing processes.
- Ideal for red-team testing and research—not malicious use.
- Highlights the need for EDR solutions to reduce dependency on real-time cloud connectivity.
Conclusion
SilentButDeadly isn’t just a tool—it’s a wake-up call for cybersecurity architects. If your EDR solution fails without cloud access, it’s time to rethink your strategy. Explore the GitHub repository, test responsibly, and strengthen your defenses.
