Skip to content
/ BlockEDRTraffic Public

Two tools written in C that block network traffic for blacklisted EDR processes, using either Windows Defender Firewall (WDF) or Windows Filtering Platform (WFP).

255 stars 34 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

0xJs/BlockEDRTraffic

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
WindowsDefenderFirewall
WindowsDefenderFirewall
 
 
WindowsFilteringPlatform
WindowsFilteringPlatform
 
 
.gitignore
.gitignore
 
 
BlockTraffic.sln
BlockTraffic.sln
 
 
README.md
README.md
 
 

Repository files navigation

Blocking EDRs traffic

Two tools written in C that block network traffic for blacklisted EDR processes, using either Windows Defender Firewall (WDF) or Windows Filtering Platform (WFP).

Overview

  • WindowsDefenderFirewall.exe
    • Creates inbound and outbound block rules in Windows Defender Firewall for blacklisted EDR processes.
  • WindowsFilteringPlatform.exe
    • Creates WFP filters that block traffic for blacklisted EDR processes. Includes a custom AppID resolution routine to obtain executable identities.
  • Both tools:
    • Verify the process is running with High Integrity and SeDebugPrivilege enabled.
    • Enumerate running processes and match them against a blacklist.
    • Support a cleanup mode that removes only the rules/filters created by these PoCs.
  • These tools do not disable or tamper with security products; they create network block rules/filters referencing targeted executables.

How it works (high level)

  • Privilege checks: Ensures elevated integrity level and SeDebugPrivilege to enumerate processes and configure firewall/WFP.
  • Process discovery: Enumerates running processes and resolves full image paths for blacklist matching.
  • Blocking:
    • WDF: Adds per-app inbound/outbound block rules via the Windows Firewall COM API.
    • WFP: Adds per-app IPv4/IPv6 block filters via the WFP engine.

Supported EDRs

Currently supported EDRs and their processes include:

  • Microsoft Defender Antivirus
  • Microsoft Defender for Endpoint
  • Elastic EDR
  • BitDefender
  • Cortex
  • CrowdStrike
  • Sentinel
  • Sophos

Will add more when I get to test them. The process definitions are listed in process.c, making it easy to extend the blacklist with new entries. I haven’t fully validated blocking of telemetry being send towards the SIEM/Dashboard, but I did confirm process names from installed components.

Usage

  • Compile it using Visual Studio 2022

WindowsDefenderFirewall.exe

  • Use the -e parameter to block all EDR processes
PS C:\ > .\WindowsDefenderFirewall.exe
Usage: WindowsDefenderFirewall.exe -e / -d
Options:
   -e Enable  - Block blacklisted EDR processes
   -d Disable - Remove blocked firewall rules created by this tool
   -h         - Display this help message

WindowsFilteringPlatform.exe

  • Use the --edr parameter to block all EDR processes
  • Use the -e parameter to block a specific process
PS C:\ > .\WindowsFilteringPlatform.exe
Usage: WindowsFilteringPlatform.exe -e / -d  / --edr
Options:
   --edr          - Block traffic of blacklisted EDR processes
   -e <PROCESS>   - Block traffic of specified process
   -d             - Remove blocked firewall rules created by this tool
   -h             - Display this help message

Common scenarios

  • Block all blacklisted EDR processes (WFP):
PS C:\> .\WindowsFilteringPlatform.exe --edr
  • Block a single process (WFP):
PS C:\> .\WindowsFilteringPlatform.exe -e MsMpEng.exe
  • Remove created rules/filters:
PS C:\> .\WindowsFilteringPlatform.exe -d
PS C:\> .\WindowsDefenderFirewall.exe -d

Example

PS C:\ > .\WindowsFilteringPlatform.exe --edr
[i] IsProcessHighIntegrity - Checking if current process is running in High Integrity
        OpenProcessToken - Retrieved handle to token 0x00000000000000AC
        GetTokenInformation1 - Retrieved 28 bytes of token information
        malloc - Allocated 28 bytes of memory at 0x0000026F0B871D60
        GetTokenInformation2 - Retrieved 28 bytes of token information at 0x0000026F0B871D60
        GetSidSubAuthority - Integrity Level: 0x3000
[+] IsProcessHighIntegrity - Process running in High Integrity

[i] BlockEDRTraffic - Blocking traffic of listed processes using Windows Filtering Platform
        GetModuleHandleW - Received handle to ntdll.dll 0x00007FFBCB420000
        GetProcAddress - Received address to NtQuerySystemInformation 0x00007FFBCB582F60
        NtQuerySystemInformation - Retrieved size in bytes for the system information: 292232
        HeapAlloc - Allocated 292232 bytes of memory for SystemProcessInformation at 0x0000026F0B879400
        NtQuerySystemInformation - Retrieved size in bytes of system information: 292232 at 0x0000026F0B879400
        HeapAlloc - Allocated 72 bytes of memory for the EDR process struct at 0x0000026F0B86ECC0
        OpenProcess - Opened handle to process "MpDefenderCoreService.exe" 0x00000000000000AC
        QueryFullProcessImageNameW - Retrieved full process path "\Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.25070.5-0\MpDefenderCoreService.exe"
        OpenProcess - Opened handle to process "MsMpEng.exe" 0x00000000000000AC
        QueryFullProcessImageNameW - Retrieved full process path "\Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.25070.5-0\MsMpEng.exe"
        OpenProcess - Opened handle to process "NisSrv.exe" 0x00000000000000AC
        QueryFullProcessImageNameW - Retrieved full process path "\Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.25070.5-0\NisSrv.exe"
        EnumerateEDRProcesses - 3 EDR processes enumerated
                Matched EDR process: "MpDefenderCoreService.exe" with PID 4288 and full path "\device\harddiskvolume3\programdata\microsoft\windows defender\platform\4.18.25070.5-0\mpdefendercoreservice.exe"
                Matched EDR process: "MsMpEng.exe" with PID 4332 and full path "\device\harddiskvolume3\programdata\microsoft\windows defender\platform\4.18.25070.5-0\msmpeng.exe"
                Matched EDR process: "NisSrv.exe" with PID 9808 and full path "\device\harddiskvolume3\programdata\microsoft\windows defender\platform\4.18.25070.5-0\nissrv.exe"
[i] BlockTraffic - Looping through EDR processes and creating Windows Filtering Platform filters
        FwpmEngineOpen0 - Opened handle to WFP engine 0x0000026F0B87A680
        FwpmProviderCreateEnumHandle0 - Opened handle to WFP enum 0x0000026F0B87A140
        FwpmProviderEnum0 - Enumerated 15 objects
        FindProviderGUIDByDesc - Provider with description "Microsoft Windows WFP Built-in custom provider." found
        FwpmFilterAdd0 - Added IPV4 filter for "MpDefenderCoreService.exe" with ID 77392
        FwpmFilterAdd0 - Added IPV6 filter for "MpDefenderCoreService.exe" with ID 77393
        FwpmEngineOpen0 - Opened handle to WFP engine 0x0000026F0B87A680
        FwpmProviderCreateEnumHandle0 - Opened handle to WFP enum 0x0000026F0B87A230
        FwpmProviderEnum0 - Enumerated 15 objects
        FindProviderGUIDByDesc - Provider with description "Microsoft Windows WFP Built-in custom provider." found
        FwpmFilterAdd0 - Added IPV4 filter for "MsMpEng.exe" with ID 77394
        FwpmFilterAdd0 - Added IPV6 filter for "MsMpEng.exe" with ID 77395
        FwpmEngineOpen0 - Opened handle to WFP engine 0x0000026F0B87A680
        FwpmProviderCreateEnumHandle0 - Opened handle to WFP enum 0x0000026F0B879ED0
        FwpmProviderEnum0 - Enumerated 15 objects
        FindProviderGUIDByDesc - Provider with description "Microsoft Windows WFP Built-in custom provider." found
        FwpmFilterAdd0 - Added IPV4 filter for "NisSrv.exe" with ID 77396
        FwpmFilterAdd0 - Added IPV6 filter for "NisSrv.exe" with ID 77397
[+] BlockEDRTraffic - Windows Filtering Platform blocking filters for all processes have been created

PS C:\ > .\WindowsFilteringPlatform.exe -d
[i] IsProcessHighIntegrity - Checking if current process is running in High Integrity
        OpenProcessToken - Retrieved handle to token 0x00000000000000E0
        GetTokenInformation1 - Retrieved 28 bytes of token information
        malloc - Allocated 28 bytes of memory at 0x00000206BD931BB0
        GetTokenInformation2 - Retrieved 28 bytes of token information at 0x00000206BD931BB0
        GetSidSubAuthority - Integrity Level: 0x3000
[+] IsProcessHighIntegrity - Process running in High Integrity

[i] UnblockTraffic - Removing all Windows Filtering Platform rules with custom filter name "Default Outbound Block"
        FwpmEngineOpen0 - Opened handle to WFP engine 0x00000206BD93A470
        FwpmFilterCreateEnumHandle0 - Opened handle to enumerate filters 0x00000206BD939E90
        FwpmFilterDeleteById0 - Deleted filter "Default Outbound Block" with ID 77397
        FwpmFilterDeleteById0 - Deleted filter "Default Outbound Block" with ID 77394
        FwpmFilterDeleteById0 - Deleted filter "Default Outbound Block" with ID 77393
        FwpmFilterDeleteById0 - Deleted filter "Default Outbound Block" with ID 77392
        FwpmFilterDeleteById0 - Deleted filter "Default Outbound Block" with ID 77396
        FwpmFilterDeleteById0 - Deleted filter "Default Outbound Block" with ID 77395
[+] UnblockTraffic - Windows Filtering Platform filters have been removed

Credits

I got inspired to expand upon the tools provided in the Evasion Lab (CETP from Altered Security), taught by Saad Ahla.

The EDRSilencer project.

Features ideas

  • Block a specific executable on disk (Not process)
  • Block all executables in a specific directory
  • Block a specific IP-address or URL (Is wildcard possible?)
  • Block a list of IP-addresses or URL's
  • Remotely apply WFP Filters?

About

Two tools written in C that block network traffic for blacklisted EDR processes, using either Windows Defender Firewall (WDF) or Windows Filtering Platform (WFP).

Resources

Readme
Activity

Stars

255 stars

Watchers

2 watching

Forks

34 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages