WFP Filter Added via Registry

Hunt Hypothesis

Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.

Detection Rule

Sigma (Original)

title: WFP Filter Added via Registry
id: 1f1d8209-636e-4c6c-a137-781cca8b82f9
status: experimental
description: |
    Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
references:
    - https://github.com/netero1010/EDRSilencer/blob/0e73a7037ec65c52894d8208e6f605a7da0a34a6/EDRSilencer.c
    - https://www.huntress.com/blog/silencing-the-edr-silencers
    - https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html
author: Frack113
date: 2025-10-23
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1685
    - attack.t1569.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\BFE\Parameters\Policy\Persistent\Filter\'
    filter_main_svchost:
        Image:
            - 'C:\Windows\System32\svchost.exe'
            - 'C:\Windows\SysWOW64\svchost.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imRegistry
| where RegistryKey endswith "\\BFE\\Parameters\\Policy\\Persistent\\Filter*" and (not((ActingProcessName in~ ("C:\\Windows\\System32\\svchost.exe", "C:\\Windows\\SysWOW64\\svchost.exe"))))

Required Data Sources

False Positive Guidance

• Unknown

MITRE ATT&CK Context

• Tactic: Execution
• Technique: T1685 — T1685
• Technique: T1569.002 — T1569.002

References

• https://github.com/netero1010/EDRSilencer/blob/0e73a7037ec65c52894d8208e6f605a7da0a34a6/EDRSilencer.c
• https://www.huntress.com/blog/silencing-the-edr-silencers
• https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html
• SigmaHQ Rule