Sigma
Sigma rules for CVE-2004-1272
5 rules · scoped to cve · back to CVE-2004-1272
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
◈
Detection rules
5 of 5
direct
high
HackTool - EDRSilencer Execution - Filter Added
Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
view Sigma YAML
title: HackTool - EDRSilencer Execution - Filter Added
id: 98054878-5eab-434c-85d4-72d4e5a3361b
status: test
description: |
Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
references:
- https://github.com/netero1010/EDRSilencer
author: Thodoris Polyzos (@SmoothDeploy)
date: 2024-01-29
modified: 2024-01-30
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: security
definition: 'Requirements: Audit Filtering Platform Policy Change needs to be enabled'
detection:
selection:
EventID:
- 5441
- 5447
FilterName|contains: 'Custom Outbound Filter'
condition: selection
falsepositives:
- Unknown
level: high
direct
high
Antivirus Filter Driver Disallowed On Dev Drive - Registry
Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
view Sigma YAML
title: Antivirus Filter Driver Disallowed On Dev Drive - Registry
id: 31e124fb-5dc4-42a0-83b3-44a69c77b271
status: test
description: |
Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
references:
- https://twitter.com/0gtweet/status/1720419490519752955
author: '@kostastsale, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-11-05
modified: 2024-08-16
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\FilterManager\FltmgrDevDriveAllowAntivirusFilter'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unlikely
level: high
direct
medium
Dropping Of Password Filter DLL
Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
view Sigma YAML
title: Dropping Of Password Filter DLL
id: b7966f4a-b333-455b-8370-8ca53c229762
status: test
description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
references:
- https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/
- https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter
author: Sreeman
date: 2020-10-29
modified: 2022-10-09
tags:
- attack.persistence
- attack.credential-access
- attack.defense-impairment
- attack.t1556.002
logsource:
category: process_creation
product: windows
detection:
selection_cmdline:
CommandLine|contains|all:
- 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa'
- 'scecli\0*'
- 'reg add'
condition: selection_cmdline
falsepositives:
- Unknown
level: medium
direct
medium
Filter Driver Unloaded Via Fltmc.EXE
Detect filter driver unloading activity via fltmc.exe
view Sigma YAML
title: Filter Driver Unloaded Via Fltmc.EXE
id: 4931188c-178e-4ee7-a348-39e8a7a56821
related:
- id: 4d7cda18-1b12-4e52-b45c-d28653210df8 # Sysmon specific
type: derived
status: test
description: Detect filter driver unloading activity via fltmc.exe
references:
- https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
- https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-13
modified: 2025-10-07
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1685
- attack.t1685.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\fltMC.exe'
- OriginalFileName: 'fltMC.exe'
selection_cli:
CommandLine|contains: 'unload'
filter_optional_avira:
ParentImage|contains:
- '\AppData\Local\Temp\'
- ':\Windows\Temp\'
ParentImage|endswith: '\endpoint-protection-installer-x64.tmp'
CommandLine|endswith:
- 'unload rtp_filesystem_filter'
- 'unload rtp_filter'
filter_optional_manageengine:
ParentImage: 'C:\Program Files (x86)\ManageEngine\uems_agent\bin\dcfaservice64.exe'
CommandLine|endswith: 'unload DFMFilter'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
direct
medium
WFP Filter Added via Registry
Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
view Sigma YAML
title: WFP Filter Added via Registry
id: 1f1d8209-636e-4c6c-a137-781cca8b82f9
status: experimental
description: |
Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
references:
- https://github.com/netero1010/EDRSilencer/blob/0e73a7037ec65c52894d8208e6f605a7da0a34a6/EDRSilencer.c
- https://www.huntress.com/blog/silencing-the-edr-silencers
- https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html
author: Frack113
date: 2025-10-23
tags:
- attack.execution
- attack.defense-impairment
- attack.t1685
- attack.t1569.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\BFE\Parameters\Policy\Persistent\Filter\'
filter_main_svchost:
Image:
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\SysWOW64\svchost.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Showing 1-5 of 5