BlockEDRTraffic is a pair of Windows proof-of-concept tools that prevent Endpoint Detection and Response (EDR) agents from sending network telemetry. It supports two approaches. One executable creates inbound and outbound block rules with Windows Defender Firewall. The other creates per-application IPv4 and IPv6 filters with Windows Filtering Platform.

This requires high integrity and SeDebugPrivilege, enumerating running processes, matching them against an embedded blacklist, and then applying network blocks only for those targets. The tools do not disable or tamper with security products. They only add filtering rules and include a cleanup mode that removes the rules they created.

While defenders typically focus on event logs or kernel hooks, network telemetry remains a blind spot. BlockEDRTraffic creates a brief window of stealth, aligning with tools like AutoPwnKey, which avoids API calls via user simulation and BEOTM, which simulates EDR behaviour for testing bypasses.

Features

The repository currently lists Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and Elastic EDR as supported targets and exposes process definitions in source so operators can extend the blacklist.

• Two evasion paths. Windows Defender Firewall rule creation or Windows Filtering Platform filters for per-process blocking.
• Privilege checks. Verifies elevated integrity and SeDebugPrivilege before acting.
• Target discovery. Resolves full image paths for blacklist matching and shows what will be blocked.
• Scoped cleanup. Removes only the rules and filters created by the tool.
• Extensible targets. The EDR process list lives in the source code for easy updates.

Installation

The repository provides Visual Studio project files. Build with Visual Studio 2022 on a Windows development host.

Ensure execution occurs under a sufficiently privileged context to manipulate EDR processes in memory.

Usage

Use the -e parameter to block all EDR processes:

Use the --edr parameter to block all EDR processes or use the -e parameter to block a specific process

Attack Scenario

During a red team engagement, an operator gains access to a host via phishing. They need to run BloodHound queries and move laterally using native PowerShell.

1. Run WindowsDefenderFirewall.exe or WindowsFilteringPlatform.exe to suppress EDR network calls.
2. Immediately execute Invoke-BloodHound and PsMapExec to enumerate user sessions and pivot quietly.
3. Once the duration expires, EDR telemetry resumes, with minimal traces of evasive activity.

This allows the red team to move aggressively during a short stealth window while minimising exposure.

Red Team Relevance

BlockEDRTraffic fills the critical niche between payload obfuscation (e.g. Shell3r) and lateral movement tools. It doesn’t replace endpoint agents but turns them silent long enough to operate under the radar.

When paired with host-based detection like Falco, which monitors syscall behaviours in containers but may miss network gaps, BlockEDRTraffic demonstrates how adversaries might exploit lower reliability in network telemetry.

Conclusion

BlockEDRTraffic provides red teams with two reliable methods to mute EDR telemetry for a short operational window, utilising native Windows capabilities. It focuses on scoped per-process filtering, includes cleanup, and keeps changes transparent and auditable. Use it to validate detection depth beyond simple process monitoring and to measure how quickly defenders notice that their agent has gone quiet.

You can read more or download BlockEDRTraffic here: https://github.com/0xJs/BlockEDRTraffic