GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → FourCoreLabs → EDRHunt

FourCoreLabs / EDRHunt

Licence: MIT license
Scan installed EDRs and AVs on Windows

Programming Languages

go
31211 projects - #10 most used programming language

Labels

securityinfosecsecurity-tools

Projects that are alternatives of or similar to EDRHunt

sgCheckup
sgCheckup generates nmap output based on scanning your AWS Security Groups for unexpected open ports.
Stars: ✭ 77 (-81.03%)
Mutual labels:  infosec
SuperLibrary
Information Security Library
Stars: ✭ 60 (-85.22%)
Mutual labels:  infosec
pitch
The initial conversation slides and menu of scenarios
Stars: ✭ 37 (-90.89%)
Mutual labels:  infosec
rustpad
Multi-threaded Padding Oracle attacks against any service. Written in Rust.
Stars: ✭ 75 (-81.53%)
Mutual labels:  infosec
Blue-Team-Notes
You didn't think I'd go and leave the blue team out, right?
Stars: ✭ 899 (+121.43%)
Mutual labels:  infosec
S3Scan
Script to spider a website and find publicly open S3 buckets
Stars: ✭ 21 (-94.83%)
Mutual labels:  infosec
InfoPhish
InfoPath Phishing Repo Resource
Stars: ✭ 68 (-83.25%)
Mutual labels:  infosec
ronin-support
A support library for Ronin. Like activesupport, but for hacking!
Stars: ✭ 23 (-94.33%)
Mutual labels:  infosec
polscan
Zero-setup SSH-based scanner with extensive visualizations for Debian server inventory, policy compliance and vulnerabilities
Stars: ✭ 57 (-85.96%)
Mutual labels:  infosec
wildpwn
unix wildcard attacks
Stars: ✭ 119 (-70.69%)
Mutual labels:  infosec
standards-maintenance
This repository houses the interactions, consultations and work management to support the maintenance of baselined components of the Consumer Data Right API Standards and Information Security profile.
Stars: ✭ 32 (-92.12%)
Mutual labels:  infosec
dummyDLL
Utility for hunting UAC bypasses or COM/DLL hijacks that alerts on the exported function that was consumed.
Stars: ✭ 35 (-91.38%)
Mutual labels:  infosec
MurMurHash
This little tool is to calculate a MurmurHash value of a favicon to hunt phishing websites on the Shodan platform.
Stars: ✭ 79 (-80.54%)
Mutual labels:  infosec
react-obfuscate
An intelligent React component to obfuscate any contact link!
Stars: ✭ 87 (-78.57%)
Mutual labels:  infosec
pwn-pulse
Exploit for Pulse Connect Secure SSL VPN arbitrary file read vulnerability (CVE-2019-11510)
Stars: ✭ 126 (-68.97%)
Mutual labels:  infosec
magicRecon
MagicRecon is a powerful shell script to maximize the recon and data collection process of an objective and finding common vulnerabilities, all this saving the results obtained in an organized way in directories and with various formats.
Stars: ✭ 478 (+17.73%)
Mutual labels:  infosec
pentest-reports
Collection of penetration test reports and pentest report templates. Published by the the best security companies in the world.
Stars: ✭ 111 (-72.66%)
Mutual labels:  infosec
urldedupe
Pass in a list of URLs with query strings, get back a unique list of URLs and query string combinations
Stars: ✭ 208 (-48.77%)
Mutual labels:  infosec
Resources-for-Application-Security
Some good resources for getting started with application security
Stars: ✭ 97 (-76.11%)
Mutual labels:  infosec
Jiraffe
One stop place for exploiting Jira instances in your proximity
Stars: ✭ 157 (-61.33%)
Mutual labels:  infosec
View All Similar Projects ➔

EDRHunt

goreleaser

EDRHunt scans Windows services, drivers, processes, registry, wmi for installed EDRs (Endpoint Detection And Response). Read more about EDRHunt here.

asciicast

Install

  • Binary

    • Download the latest release from the release section. Releases are built for windows/amd64.

  • Go

    • Requires Go to be installed on system. Tested on Go1.17+.
    • go install github.com/FourCoreLabs/EDRHunt/cmd/EDRHunt@master

Usage

  • Find installed EDRs
$ .\EDRHunt.exe scan
[EDR]
Detected EDR: Windows Defender
Detected EDR: Kaspersky Security
  • Scan Everything
$ .\EDRHunt.exe all
Running in user mode, escalate to admin for more details.
Scanning processes, services, drivers, wmi, and registry...
[PROCESSES]

Suspicious Process Name: MsMpEng.exe
Description: MsMpEng.exe
Caption: MsMpEng.exe
Binary:
ProcessID: 6764
Parent Process: 1148
Process CmdLine :
File Metadata:
Matched Keyword: [msmpeng]


Suspicious Process Name: NisSrv.exe
Description: NisSrv.exe
Caption: NisSrv.exe
Binary:
ProcessID: 9840
Parent Process: 1148
Process CmdLine :
File Metadata:
Matched Keyword: [nissrv]
...
  • Find drivers matching EDR keywords
    __________  ____     __  ____  ___   ________
   / ____/ __ \/ __ \   / / / / / / / | / /_  __/
  / __/ / / / / /_/ /  / /_/ / / / /  |/ / / /
 / /___/ /_/ / _, _/  / __  / /_/ / /|  / / /
/_____/_____/_/ |_|  /_/ /_/\____/_/ |_/ /_/

FourCore Labs (https://fourcore.vision) | Version: 1.1

Running in user mode, escalate to admin for more details.
[DRIVERS]
Suspicious Driver Module: WdFilter.sys
Driver FilePath: c:\windows\system32\drivers\wd\wdfilter.sys
Driver File Metadata:
        ProductName: Microsoft® Windows® Operating System
        OriginalFileName: WdFilter.sys
        InternalFileName: WdFilter
        Company Name: Microsoft Corporation
        FileDescription: Microsoft antimalware file system filter driver
        ProductVersion: 4.18.2109.6
        Comments:
        LegalCopyright: © Microsoft Corporation. All rights reserved.
        LegalTrademarks:
Matched Keyword: [antimalware malware]

Suspicious Driver Module: hvsifltr.sys
Driver FilePath: c:\windows\system32\drivers\hvsifltr.sys
Driver File Metadata:
        ProductName: Microsoft® Windows® Operating System
        OriginalFileName: hvsifltr.sys.mui
        InternalFileName: hvsifltr.sys
        Company Name: Microsoft Corporation
        FileDescription: Microsoft Defender Application Guard Filter Driver
        ProductVersion: 10.0.19041.1
        Comments:
        LegalCopyright: © Microsoft Corporation. All rights reserved.
        LegalTrademarks:
Matched Keyword: [defender]

Suspicious Driver Module: WdNisDrv.sys
Driver FilePath: c:\windows\system32\drivers\wd\wdnisdrv.sys
Driver File Metadata:
        ProductName: Microsoft® Windows® Operating System
        OriginalFileName: wdnisdrv.sys
        InternalFileName: wdnisdrv.sys
        Company Name: Microsoft Corporation
        FileDescription: Windows Defender Network Stream Filter
        ProductVersion: 4.18.2109.6
        Comments:
        LegalCopyright: © Microsoft Corporation. All rights reserved.
        LegalTrademarks:
Matched Keyword: [defender]
...
  • Find services matching EDR keywords
$ .\EDRHunt.exe -s
  • Find drivers matching EDR keywords
$ .\EDRHunt.exe -d
  • Find registry keys matching EDR keywords
$ .\EDRHunt.exe -r
  • Find WMI Repository keys matching EDR keywords
$ .\EDRHunt.exe -w

Detections

EDR Detections Currently Available

  • Windows Defender
  • Kaspersky Security
  • Symantec Security
  • Crowdstrike Security
  • Mcafee Security
  • Cylance Security
  • Carbon Black
  • SentinelOne
  • FireEye
  • Elastic EDR
  • Qualys EDR
  • Trend Micro EDR
  • ESET EDR
  • Cybereason EDR
  • BitDefender EDR
  • Checkpoint EDR
  • Cynet EDR
  • DeepInstinct EDR
  • Sophos EDR
  • Fortinet EDR
  • MalwareBytes EDR
  • LimaCharlie Agent

More to be added soon.

Community

Would appreciate if you ran EDRHunt on your own deployments and test the detections! Thanks.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].