Welcome back! A big thanks for following along and taking the time to read through this series,...
On a recent Red Team engagement, one of the flags we needed to capture came from a compromised user device. After a bit of living off the land and some local priv esc, we needed to maintain some persistence however with their current Endpoint Detection and Response (EDR) solution in place we needed to lay some ground work to avoid their SOC stomping on us. One such approach we employed was using the Windows Filtering Platform (WFP) to mute the EDR alerts, effectively making the detections redundant. While this technique might seem like a niche threat, it showcases how attackers can exploit legitimate system functionalities to bypass defenses. In this article, I'll help explore how WFP can be used to evade EDR solutions, the importance of effective security configurations, and some things to look for in evaluating your EDR platform for preventing such evasion techniques.
Understanding the Windows Filtering Platform (WFP)
The Windows Filtering Platform is a set of APIs available in Windows that allows developers to interact with the network stack at various levels. WFP can be used for a variety of legitimate purposes, such as implementing custom firewalls, monitoring network activity, or enforcing data security policies. However, attackers can misuse WFP to tamper with network traffic in ways that can blind an EDR solution.
For example, by creating WFP filters, attackers can block outbound network connections from an EDR agent, effectively muting alerts that would otherwise be sent to a central logging server or security operations center (SOC). This type of evasion can be particularly effective in environments where the EDR heavily relies on network-based telemetry for alerting and analysis.
Explaining the Attack: Living off the Land with WFP
At a high level, using the Windows Filtering Platform (WFP) to silence EDR alerts involves manipulating the system's network traffic filtering capabilities. By leveraging WFP, an attacker can create rules that interfere with how an EDR solution monitors network activity. The goal is to prevent the EDR from detecting or reporting suspicious behavior.
In practice, this technique can be used to block or drop outbound network traffic generated by the EDR agent. If the EDR relies on this network communication to send alerts or logs to a central monitoring system, muting this traffic effectively blinds the EDR to any malicious activities occurring on the compromised machine. The attacker can then operate more stealthily, carrying out actions such as lateral movement within the network or data exfiltration without triggering alerts.
For the attack to be effective, it requires modifying WFP rules in a way that goes unnoticed or is difficult for the EDR to detect and undo. This type of evasion capitalises on legitimate functionalities in the Windows operating system, making it a rather stealthy technique for bypassing endpoint defences.
Hardening Endpoints Against WFP-Based Evasion Techniques
In this engagement, due to a combination of misconfigurations and outdated EDR platform this evasion technique demonstrated a creative way we could penetrate deeper in the target systems from the compromised user endpoint. As part of the debriefing on this engagement several security configurations were identified to help mitigate the risks associated with WFP-based techniques:
- Effective Privilege Management The key to executing WFP modifications is having elevated privileges on the system. Enforcing robust privilege management policies is critical. Ensure that users do not have administrative rights by default, and implement solutions like Just-In-Time (JIT) privilege escalation, where elevated rights are granted only when absolutely necessary and for a limited time.
- Secure EDR Configuration Many EDR platforms offer self-protection capabilities that prevent tampering or disabling of the agent even by administrators. Enabling these configurations can prevent WFP-based techniques from being effective. Ensure that your EDR is configured to monitor for any changes to WFP filters and alert on suspicious modifications.
- Utilising Kernel-Level Security Mechanisms Advanced EDR solutions offer kernel-level monitoring and tamper protection, making it difficult for attackers to silence the EDR. These mechanisms can detect and block attempts to manipulate WFP configurations or other critical system components.
Strengthening Defences Against WFP-Based Evasion
When it comes to protecting against WFP-based evasion techniques, the strength of an EDR solution's defence hinges on its ability to go beyond standard endpoint monitoring. An effective solution not only detects suspicious activities but also actively prevents tampering, enforces strict configuration controls, and integrates seamlessly with the operating system to monitor for low-level changes.
To combat WFP-based techniques, security teams should focus on a few key strategies:
- Enhanced Endpoint Visibility and Monitoring The ability to detect changes to system components such as WFP filters is essential. EDR solutions that continuously monitor for unusual modifications to network filtering rules, even those made by high-privilege users, can catch attempts to disable or mute EDR functionalities. Ensuring the security solution can alert administrators when critical configurations are altered adds an extra layer of defense.
- Robust Anti-Tampering Measures Advanced anti-tampering features are vital to prevent attackers from modifying or disabling the EDR agent. These measures should protect not only the agent itself but also any associated configurations and dependencies. Solutions that incorporate self-healing mechanisms, which automatically revert any unauthorized changes, make it difficult for attackers to persistently mute alerts.
- Comprehensive Threat Intelligence Integration Leveraging threat intelligence to enrich endpoint telemetry enables faster detection of sophisticated evasion tactics. Threat intelligence sources can provide context about emerging techniques like WFP manipulation, allowing EDR solutions to update their detection rules and prevention measures proactively.
- User and Privilege Management Restricting administrative privileges is critical for preventing tampering attempts. Solutions that integrate with privilege management tools to enforce least privilege principles and Just-In-Time access can significantly reduce the risk of an attacker gaining the necessary rights to manipulate WFP settings.
The Broader Implications of WFP Manipulation
The use of WFP to evade detection is a reminder of how attackers can "live off the land" by exploiting legitimate operating system functionalities. This technique highlights the ongoing challenge for defenders: distinguishing between normal administrative activity and malicious intent. The very tools that make Windows versatile for system administrators also present opportunities for attackers to manipulate the environment.
To stay ahead, organizations must adopt a multi-layered approach that goes beyond relying solely on EDR. This includes regular security audits, hardening operating system configurations, and integrating multiple security layers—such as network detection and response (NDR) and identity and access management (IAM)—to create a comprehensive defense strategy. By recognizing the potential for attackers to manipulate built-in Windows capabilities, security teams can better prepare their defenses for both today’s and tomorrow's threats.
Ultimately, a robust endpoint security strategy isn't just about having the best tool in place; it's about continuously evolving that tool’s capabilities and integrating it into a broader, adaptive security posture.
