Merge PR #5111 from @frack113 - Add WFP Filter Added via Registry

new: WFP Filter Added via Registry

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>

Author: 3 people

rules/windows/registry/registry_set/registry_set_susp_wfp_filter_added.yml

@@ -0,0 +1,30 @@
+title: WFP Filter Added via Registry
+id: 1f1d8209-636e-4c6c-a137-781cca8b82f9
+status: experimental
+description: |
+    Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
+references:
+    - https://github.com/netero1010/EDRSilencer/blob/0e73a7037ec65c52894d8208e6f605a7da0a34a6/EDRSilencer.c
+    - https://www.huntress.com/blog/silencing-the-edr-silencers
+    - https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html
+author: Frack113
+date: 2025-10-23
+tags:
+    - attack.defense-evasion
+    - attack.execution
+    - attack.t1562
+    - attack.t1569.002
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|contains: '\BFE\Parameters\Policy\Persistent\Filter\'
+    filter_main_svchost:
+        Image:
+            - 'C:\Windows\System32\svchost.exe'
+            - 'C:\Windows\SysWOW64\svchost.exe'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Unknown
+level: medium