SilentButDeadly Tool Disrupts EDR Cloud Telemetry via WFP

SilentButDeadly is an open-source Windows tool that targets EDR and antivirus architectures by blocking their network communications using the Windows Filtering Platform. Instead of killing security processes, the SilentButDeadly tool programmatically inserts temporary, bidirectional firewall filters around EDR processes like SentinelAgent.exe and MsMpEng.exe, effectively isolating them from their cloud backends. This technique, an evolution of the earlier EDRSilencer concept, maps directly to T1562 (Impair Defenses) and T1070 (Indicator Removal) because it cuts off telemetry and remote command channels while leaving local scanning mostly intact. For red teams, this offers a powerful way to simulate EDR evasion; for defenders, it highlights a blind spot in cloud-centric endpoint detection strategies. The tool works by enumerating processes via standard Windows APIs, identifying EDR components based on a configurable target list, and then initializing a dynamic Windows Filtering Platform session. It installs per-process filters at ALE layers for outbound connection attempts and inbound responses, using high-priority weights and AppID-based conditions to avoid collateral damage. Because filters are dynamic and tied to a specific session, SilentButDeadly can clean up rules on exit, reducing persistent artifacts and complicating forensic analysis. Optional flags allow persistent filters or verbose logging, and the default behavior is to rely only on documented user-mode APIs with administrator privileges, avoiding kernel tampering that might trigger low-level integrity checks. Business risk arises because many modern EDR deployments assume consistent cloud connectivity for event streaming, detection updates, and remote response actions. If an attacker or malicious insider can run SilentButDeadly or a similar WFP-based evasion technique, they can silently neuter cloud telemetry while keeping EDR services running to avoid raising alarms, creating a window for data exfiltration or lateral movement. Organizations that depend on cloud-managed EDR for compliance reporting or regulated logging can find themselves out of alignment with expectations under SOC 2, ISO 27001, or sectoral rules if key telemetry paths are disabled without detection. Defenders should treat SilentButDeadly as both a red-team utility and a proof of concept for a broader EDR evasion class and update detection strategies accordingly. Recommended mitigations include tightening administrator rights, monitoring Windows Filtering Platform event logs and configuration changes for unexpected filters around security processes, and validating that EDR agents enforce local tamper protection for network rules. Security teams can also ingest WFP configuration snapshots into SIEM pipelines, baseline legitimate EDR connectivity, and alert when cloud heartbeat or telemetry patterns deviate from normal, even when processes appear to run normally on endpoints.