Mirrors/netero1010-edrsilencer
1
0
Fork 0
mirror of https://github.com/netero1010/EDRSilencer.git synced 2026-06-10 18:01:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update to include Cisco Secure Endpoint (credit @logdumpster). Also, removed CrowdStrike from the supporting list as blocking its service process is insufficient. Require further testing

Browse Source
This commit is contained in:
netero1010
2024-01-02 18:02:49 +08:00
parent 6287d391ed
commit 7988dae6bf
2 changed files with 9 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
EDRSilencer.c
+9 -9
View File
@@ -16,9 +16,6 @@ char* edrProcess[] = {
"xagt.exe", "xagt.exe",
// Qualys EDR // Qualys EDR
"QualysAgent.exe", "QualysAgent.exe",
// CrowdStrike
"CSFalconService.exe",
"CSFalconContainer.exe",
// SentinelOne // SentinelOne
"SentinelAgent.exe", "SentinelAgent.exe",
"SentinelAgentWorker.exe", "SentinelAgentWorker.exe",
@@ -54,7 +51,9 @@ char* edrProcess[] = {
"CyveraService.exe", "CyveraService.exe",
"CyvrFsFlt.exe", "CyvrFsFlt.exe",
// FortiEDR // FortiEDR
"fortiedr.exe" "fortiedr.exe",
// Cisco Secure Endpoint (Formerly Cisco AMP)
"sfc.exe"
}; };
BOOL inWfpFlag[sizeof(edrProcess) / sizeof(edrProcess[0])] = { FALSE }; BOOL inWfpFlag[sizeof(edrProcess) / sizeof(edrProcess[0])] = { FALSE };
@@ -327,15 +326,16 @@ void UnblockWfpFilter(UINT64 filterId) {
} }
void PrintHelp() { void PrintHelp() {
printf("Usage: EDROutBlock.exe <blockedr/block/unblockall/unblock>\n"); printf("Usage: EDRSilencer.exe <blockedr/block/unblockall/unblock>\n");
printf("Version: 1.1\n");
printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of all detected EDR processes:\n"); printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of all detected EDR processes:\n");
printf(" EDROutBlock.exe blockedr\n\n"); printf(" EDRSilencer.exe blockedr\n\n");
printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of a specific process (full path is required):\n"); printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of a specific process (full path is required):\n");
printf(" EDROutBlock.exe block \"C:\\Windows\\System32\\curl.exe\"\n\n"); printf(" EDRSilencer.exe block \"C:\\Windows\\System32\\curl.exe\"\n\n");
printf("- Remove all WFP filters applied by this tool:\n"); printf("- Remove all WFP filters applied by this tool:\n");
printf(" EDROutBlock.exe unblockall\n\n"); printf(" EDRSilencer.exe unblockall\n\n");
printf("- Remove a specific WFP filter based on filter id:\n"); printf("- Remove a specific WFP filter based on filter id:\n");
printf(" EDROutBlock.exe unblock <filter id>"); printf(" EDRSilencer.exe unblock <filter id>");
} }
int main(int argc, char *argv[]) { int main(int argc, char *argv[]) {
README.md
-1
View File
@@ -13,7 +13,6 @@ The tool currently supports the following EDRs:
- Elastic EDR - Elastic EDR
- Trellix EDR - Trellix EDR
- Qualys EDR - Qualys EDR
- CrowdStrike
- SentinelOne - SentinelOne
- Cylance - Cylance
- Cybereason - Cybereason