host-interaction/network/traffic/filter
rule:
meta:
name: enumerate network filters via WFP API
namespace: host-interaction/network/traffic/filter
authors:
- jakub.jozwiak@mandiant.com
scopes:
static: function
dynamic: thread
references:
- https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmfilterenum0
- https://github.com/netero1010/EDRSilencer/blob/main/EDRSilencer.c
examples:
- d9531e53036c5d04fbe7d1aeae2988c3bf0fdec63774690c5df70cc121af8de4:0x10001DF0
features:
- and:
- api: fwpkclnt.FwpmFilterCreateEnumHandle0
- api: fwpkclnt.FwpmFilterEnum0
last edited: 2024-09-16 12:43:28