Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details

All Projects → op7ic → Edr Testing Script

op7ic / Edr Testing Script

Licence: mit

Test the accuracy of Endpoint Detection and Response (EDR) software with simple script which executes various ATT&CK/LOLBAS/Invoke-CradleCrafter/Invoke-DOSfuscation payloads

Labels

security security-audit incident-response

Projects that are alternatives of or similar to Edr Testing Script

Siac

SIAC is an enterprise SIEM built on open-source technology.

Stars: ✭ 100 (-26.47%)

Mutual labels: incident-response

Invoke Liveresponse

Invoke-LiveResponse

Stars: ✭ 115 (-15.44%)

Mutual labels: incident-response

Find Sec Bugs

The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)

Stars: ✭ 1,748 (+1185.29%)

Mutual labels: security-audit

Patrowldocs

PatrOwl - Open Source, Free and Scalable Security Operations Orchestration Platform

Stars: ✭ 105 (-22.79%)

Mutual labels: incident-response

Kccss

Kubernetes Common Configuration Scoring System

Stars: ✭ 111 (-18.38%)

Mutual labels: security-audit

Encrypt.to

Send encrypted PGP messages with one click

Stars: ✭ 116 (-14.71%)

Mutual labels: security-audit

Cloudsploit

Cloud Security Posture Management (CSPM)

Stars: ✭ 1,338 (+883.82%)

Mutual labels: security-audit

Reconnoitre

A security tool for multithreaded information gathering and service enumeration whilst building directory structures to store results, along with writing out recommendations for further testing.

Stars: ✭ 1,824 (+1241.18%)

Mutual labels: security-audit

Dockle

Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start

Stars: ✭ 1,713 (+1159.56%)

Mutual labels: security-audit

Windows Ad Environment Related

This Repository contains the stuff related to windows Active directory environment exploitation

Stars: ✭ 123 (-9.56%)

Mutual labels: security-audit

Gda Android Reversing Tool

GDA is a new fast and powerful decompiler in C++(working without Java VM) for the APK, DEX, ODEX, OAT, JAR, AAR, and CLASS file. which supports malicious behavior detection, privacy leaking detection, vulnerability detection, path solving, packer identification, variable tracking, deobfuscation, python&java scripts, device memory extraction, dat…

Stars: ✭ 2,332 (+1614.71%)

Mutual labels: security-audit

Catnip

Cat-Nip Automated Basic Pentest Tool - Designed For Kali Linux

Stars: ✭ 108 (-20.59%)

Mutual labels: security-audit

Sippts

Set of tools to audit SIP based VoIP Systems

Stars: ✭ 116 (-14.71%)

Mutual labels: security-audit

Drek

A static-code-analysis tool for performing security-focused code reviews. It enables an auditor to swiftly map the attack-surface of a large application, with an emphasis on identifying development anti-patterns and footguns.

Stars: ✭ 103 (-24.26%)

Mutual labels: security-audit

Mthc

All-in-one bundle of MISP, TheHive and Cortex

Stars: ✭ 134 (-1.47%)

Mutual labels: incident-response

Vsaudit

VOIP Security Audit Framework

Stars: ✭ 97 (-28.68%)

Mutual labels: security-audit

Wynis

Audit Windows Security with best Practice

Stars: ✭ 116 (-14.71%)

Mutual labels: security-audit

Minimalistic Offensive Security Tools

A repository of tools for pentesting of restricted and isolated environments.

Stars: ✭ 135 (-0.74%)

Mutual labels: security-audit

Nosqlmap

Automated NoSQL database enumeration and web application exploitation tool.

Stars: ✭ 1,928 (+1317.65%)

Mutual labels: security-audit

Horn3t

Powerful Visual Subdomain Enumeration at the Click of a Mouse

Stars: ✭ 120 (-11.76%)

Mutual labels: security-audit

View All Similar Projects ➔

EDR-Testing-Script

This repository contains simple script to test EDR solutions against Mitre ATT&CK/LOLBAS/Invoke-CradleCrafter frameworks. This project is very much in its infancy right now. It is written as a single batch script so it can be easily uploaded and run (as opposed to un-zipped, compiled and installed). The script can run either as a normal user or as Administrator however not giving it high privilages will fail some tests.

Right now this script only works on Windows and should work with most security endpoint solutions.

How To

Run the runtests script and observe alerts coming to your EDR console. Cross-verify these alerts to check if your EDR solution identified them correctly. Most tests will just execute calc.exe but it can be easily modified to try to download and exec i.e. Mimikatz. DO NOT USE THIS SCRIPTS ON PRODUCTION SYSTEMS, INSTEAD DEPLOY THIS IN A VM WITH EDR.

Why

Because it is hard to figure out how accurate EDR's are. Most EDR solutions are sold as silver bullet for security but it is actually difficult to check how many different malicious attacks are correctly identified and contained. MITRE & LOLBAS do pretty good job at mapping common tools and techniques which are being used by attackers out there to pivot, execute code and progress through internal networks and this tool will executes these attacks to helps organizations verify the accuracy of deployed EDR product.

Weaponization

The script executes calc.exe. You can replace this easily with metasploit executable where needed but payloads will need to be modified to reflect this.

Tested On

Windows 7 x86
Windows 7 x64
Windows 10 x64

Coverage

The following techniques are currently covered by this script:

ATT&CK	LOLBAS	Invoke-CradleCrafter	Custom	Variants	Invoke-DOSfuscation
T1197	msiexec.exe	MEMORY\PSWEBSTRING	winnt32	bitsadmin regsrv32	BINARY\CMD\1
T1118	diskshadow.exe	MEMORY\PSWEBDATA	winrs	manage-bde.wsf + rundll32 JS	BINARY\CMD\2
T1170	esentutl.exe	MEMORY\PSWEBOPENREAD	waitfor		BINARY\CMD\3
T1086	replace.exe	MEMORY\NETWEBSTRING	.SettingContent-ms file		BINARY\PS\1
T1121	SyncAppvPublishingServer	MEMORY\NETWEBDATA			BINARY\PS\2
T1117	hh.exe	MEMORY\NETWEBOPENREAD			BINARY\PS\3
T1127	ieexec.exe	MEMORY\PSWEBREQUEST			ENCODING\1
T1047	Setupapi	MEMORY\PSRESTMETHOD			ENCODING\2
T1128	Shdocvw	MEMORY\NETWEBREQUEST			ENCODING\3
T1085	csc.exe	MEMORY\PSSENDKEYS			PAYLOAD\CONCAT\1
T1130	advpack.dll	MEMORY\PSCOMWORD			PAYLOAD\CONCAT\2
T1191	Scriptrunner	MEMORY\PSCOMEXCEL			PAYLOAD\CONCAT\3
T1202	sc	MEMORY\PSCOMIE			PAYLOAD\REVERSE\1
T1028	Register-cimprovider	MEMORY\PSCOMMSXML			PAYLOAD\REVERSE\2
T1053	control.exe	MEMORY\PSINLINECSHARP			PAYLOAD\REVERSE\3
T1216	manage-bde.wsf	MEMORY\PSCOMPILEDCSHARP			PAYLOAD\FORCODE\1
T1218	AppVLP.exe	MEMORY\CERTUTIL			PAYLOAD\FORCODE\2
T1033	ScriptRunner.exe	DISK\PSWEBFILE			PAYLOAD\FORCODE\3
T1140	Pester.bat	DISK\PSBITS			PAYLOAD\FINCODE\1
T1183	powershellcustomhost.exe	DISK\BITSADMIN			PAYLOAD\FINCODE\2
T1096	PresentationHost.exe	DISK\CERTUTIL			PAYLOAD\FINCODE\3
T1055	Command Processor Registry
T1015	gpup.exe
T1138	VBoxDrvInst
	InstallHinfSection
	Atbroker
	msconfig
	dnscmd
	java.exe
	WseClientSvc.exe

Run with Metasploit

If you want to run this script as part of Purple Team exercise then simple MSF module execution will do:

msf > use post/multi/manage/upload_exec
msf post(upload_exec) > set lfile /tmp/runtests.bat
lfile => /tmp/runtests.bat
msf post(upload_exec) > set rfile C:\\Users\\Public\\runtests.bat
rfile => C:\\Users\\Public\\runtests.bat
msf post(upload_exec) > set session 1
session => 1
msf post(upload_exec) > run

Run with Cobalt Strike

Using plugin in Cobalt folder, simply load it and click "EDR TEST > RUN ALL TESTS" against specified target.

Thanks

Everyone working on awesome projects like LOLBAS or Invoke-CradleCrafter

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Stars: ✭ 136

Visit Git Page 🔗Visit User Page 🔗Visit Issues Page (1) 🔗