{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/cylancesvc.exe/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CylanceSvc.exe","elastic-agent.exe","elastic-endpoint.exe","fortiedr.exe","QualysAgent.exe","SentinelAgent.exe","SentinelAgentWorker.exe","SentinelBrowserNativeHost.exe","SentinelHelperService.exe","SentinelServiceHost.exe","SentinelStaticEngine.exe","SentinelStaticEngineScanner.exe","TaniumClient.exe","TaniumCX.exe","TaniumDetectEngine.exe","Trend Micro products"],"_cs_severities":["high"],"_cs_tags":["edr-bypass","defense-evasion","wfp"],"_cs_type":"advisory","_cs_vendors":["Cylance","Elastic","Fortinet","Qualys","SentinelOne","Tanium","Trend Micro"],"content_html":"\u003cp\u003eAttackers may attempt to disable or impair endpoint detection and response (EDR) solutions to evade detection and maintain persistence on compromised systems. One method to achieve this is by manipulating the Windows Filtering Platform (WFP) to block network communication of EDR processes. This involves adding or modifying WFP policies to prevent EDR agents from sending telemetry or receiving updates. The technique is used to blind security tools, giving attackers more time to operate undetected. This brief focuses on detecting modifications to WFP policies that specifically target known EDR processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through methods such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain administrative access, allowing them to modify system-level configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command-line tool like \u003ccode\u003enetsh\u003c/code\u003e or PowerShell to interact with the Windows Filtering Platform (WFP).\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a WFP policy rule targeting specific EDR processes (e.g., \u003ccode\u003eSentinelAgent.exe\u003c/code\u003e, \u003ccode\u003eCylanceSvc.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe WFP policy is configured to block network traffic associated with the targeted EDR processes. The registry key \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\BFE\\Parameters\\Policy\\FirewallPolicy\\FirewallRules\u003c/code\u003e is modified with the new policy.\u003c/li\u003e\n\u003cli\u003eThe EDR processes are effectively isolated from the network, preventing them from sending telemetry or receiving updates.\u003c/li\u003e\n\u003cli\u003eThe attacker continues their malicious activities, such as lateral movement or data exfiltration, with reduced risk of detection by the impaired EDR solution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful manipulation of the Windows Filtering Platform to block EDR processes can severely degrade the security posture of an organization. Attackers can operate with impunity, leading to data breaches, ransomware deployment, or other malicious outcomes. The number of affected systems depends on the scope of the attack, but even a single compromised endpoint can serve as a beachhead for further intrusion. Organizations in all sectors are at risk, particularly those with valuable data or critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 13 to log Registry modifications, which is essential for detecting changes to WFP policies as shown in the rule \u003ccode\u003eDetect Windows Filtering Platform Policy Added to Block EDR\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Windows Filtering Platform Policy Added to Block EDR\u003c/code\u003e to your SIEM and tune the included list of commonly targeted EDR processes for your specific environment.\u003c/li\u003e\n\u003cli\u003eReview registry events associated with \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\BFE\\Parameters\\Policy\\FirewallPolicy\\FirewallRules\u003c/code\u003e for unexpected modifications, particularly those containing \u0026ldquo;Action=Block\u0026rdquo; and targeting security-related processes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, and verify the legitimacy of any WFP policy changes with authorized IT personnel.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wfp-edr-block/","summary":"Attackers modify the Windows Filtering Platform (WFP) policy to block the communication of endpoint detection and response (EDR) processes, impairing their functionality and hindering detection of malicious activities.","title":"Windows Filtering Platform Policy Added to Block EDR Process","url":"https://feed.craftedsignal.io/briefs/2024-01-wfp-edr-block/"}],"language":"en","title":"CraftedSignal Threat Feed — CylanceSvc.exe","version":"https://jsonfeed.org/version/1.1"}