SentinelStaticEngineScanner.exe — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/sentinelstaticenginescanner.exe/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000Windows Filtering Platform Policy Added to Block EDR Processhttps://feed.craftedsignal.io/briefs/2024-01-wfp-edr-block/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-wfp-edr-block/Attackers modify the Windows Filtering Platform (WFP) policy to block the communication of endpoint detection and response (EDR) processes, impairing their functionality and hindering detection of malicious activities.Attackers may attempt to disable or impair endpoint detection and response (EDR) solutions to evade detection and maintain persistence on compromised systems. One method to achieve this is by manipulating the Windows Filtering Platform (WFP) to block network communication of EDR processes. This involves adding or modifying WFP policies to prevent EDR agents from sending telemetry or receiving updates. The technique is used to blind security tools, giving attackers more time to operate undetected. This brief focuses on detecting modifications to WFP policies that specifically target known EDR processes.

Attack Chain

  1. The attacker gains initial access to the target system through methods such as phishing or exploiting a vulnerability.
  2. The attacker elevates privileges to gain administrative access, allowing them to modify system-level configurations.
  3. The attacker uses a command-line tool like netsh or PowerShell to interact with the Windows Filtering Platform (WFP).
  4. The attacker creates or modifies a WFP policy rule targeting specific EDR processes (e.g., SentinelAgent.exe, CylanceSvc.exe).
  5. The WFP policy is configured to block network traffic associated with the targeted EDR processes. The registry key HKLM\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy\FirewallPolicy\FirewallRules is modified with the new policy.
  6. The EDR processes are effectively isolated from the network, preventing them from sending telemetry or receiving updates.
  7. The attacker continues their malicious activities, such as lateral movement or data exfiltration, with reduced risk of detection by the impaired EDR solution.

Impact

Successful manipulation of the Windows Filtering Platform to block EDR processes can severely degrade the security posture of an organization. Attackers can operate with impunity, leading to data breaches, ransomware deployment, or other malicious outcomes. The number of affected systems depends on the scope of the attack, but even a single compromised endpoint can serve as a beachhead for further intrusion. Organizations in all sectors are at risk, particularly those with valuable data or critical infrastructure.

Recommendation

  • Enable Sysmon Event ID 13 to log Registry modifications, which is essential for detecting changes to WFP policies as shown in the rule Detect Windows Filtering Platform Policy Added to Block EDR.
  • Deploy the Sigma rule Detect Windows Filtering Platform Policy Added to Block EDR to your SIEM and tune the included list of commonly targeted EDR processes for your specific environment.
  • Review registry events associated with HKLM\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy\FirewallPolicy\FirewallRules for unexpected modifications, particularly those containing “Action=Block” and targeting security-related processes.
  • Investigate any alerts generated by the Sigma rule, and verify the legitimacy of any WFP policy changes with authorized IT personnel.
]]>highadvisoryedr-bypassdefense-evasionwfp