EDRSilencer

EDRSilencer is a driverless Windows EDR killer and security-solution tampering tool designed to impair endpoint detection and response products by blocking their network communications rather than terminating them with a kernel driver. According to the provided content, it was inspired by MdSec NightHawk’s closed-source FireBlock tool and uses Windows Filtering Platform (WFP) APIs to identify running EDR processes and apply filters that block their outbound traffic, causing affected products to lose communication with their backends and potentially enter a "coma-like" state. Reported functionality includes searching for running EDR processes, adding WFP filters for specific processes, removing filters individually or globally, and a custom CreateFileW bypass to avoid file-handle access issues with EDR processes. The content states that it supports Microsoft Defender, Carbon Black, SentinelOne, and additional EDR products, and that it has been tested on Windows 10 and Windows Server 2016. ESET describes EDRSilencer as part of an emerging class of driverless EDR killers that ransomware actors are adopting quickly as a pre-encryption defense-evasion stage. Splunk published a detection for its execution on Windows, looking for EDRSilencer.exe or command lines containing "blockedr" while excluding "blockedreport," using telemetry such as CrowdStrike ProcessRollup2, Sysmon Event ID 1, and Windows Security Event ID 4688. A referenced public repository is github.com/netero1010/EDRSilencer.