神兵利器 - EDRHunt
2022-8-29 00:0:42 Author: 橘猫学安全(查看原文) 阅读量:30 收藏

EDRHunt 扫描 Windows 服务、驱动程序、进程、注册表以查找已安装的 EDR(端点检测和响应)。

安装

    • 从发布部分下载最新版本。发行版是为 windows/amd64 构建的。

  • GO安装

    • 需要在系统上安装 Go1.17+ 。

    • go install github.com/FourCoreLabs/EDRHunt/cmd/[email protected]

用法

  • 查找已安装的 EDR

$ .\EDRHunt.exe scan[EDR]Detected EDR: Windows DefenderDetected EDR: Kaspersky Security
  • 扫描全部

$ .\EDRHunt.exe allRunning in user mode, escalate to admin for more details.Scanning processes, services, drivers, and registry...[PROCESSES]
Suspicious Process Name: MsMpEng.exeDescription: MsMpEng.exeCaption: MsMpEng.exeBinary:ProcessID: 6764Parent Process: 1148Process CmdLine :File Metadata:Matched Keyword: [msmpeng]

Suspicious Process Name: NisSrv.exeDescription: NisSrv.exeCaption: NisSrv.exeBinary:ProcessID: 9840Parent Process: 1148Process CmdLine :File Metadata:Matched Keyword: [nissrv]...
  • 查找匹配 EDR 关键字的驱动程序

    __________  ____     __  ____  ___   ________   / ____/ __ \/ __ \   / / / / / / / | / /_  __/  / __/ / / / / /_/ /  / /_/ / / / /  |/ / / / / /___/ /_/ / _, _/  / __  / /_/ / /|  / / //_____/_____/_/ |_|  /_/ /_/\____/_/ |_/ /_/
FourCore Labs (https://fourcore.vision) | Version: 1.1
Running in user mode, escalate to admin for more details.[DRIVERS]Suspicious Driver Module: WdFilter.sysDriver FilePath: c:\windows\system32\drivers\wd\wdfilter.sysDriver File Metadata: ProductName: Microsoft® Windows® Operating System OriginalFileName: WdFilter.sys InternalFileName: WdFilter Company Name: Microsoft Corporation FileDescription: Microsoft antimalware file system filter driver ProductVersion: 4.18.2109.6 Comments: LegalCopyright: © Microsoft Corporation. All rights reserved. LegalTrademarks:Matched Keyword: [antimalware malware]
Suspicious Driver Module: hvsifltr.sysDriver FilePath: c:\windows\system32\drivers\hvsifltr.sysDriver File Metadata: ProductName: Microsoft® Windows® Operating System OriginalFileName: hvsifltr.sys.mui InternalFileName: hvsifltr.sys Company Name: Microsoft Corporation FileDescription: Microsoft Defender Application Guard Filter Driver ProductVersion: 10.0.19041.1 Comments: LegalCopyright: © Microsoft Corporation. All rights reserved. LegalTrademarks:Matched Keyword: [defender]
Suspicious Driver Module: WdNisDrv.sysDriver FilePath: c:\windows\system32\drivers\wd\wdnisdrv.sysDriver File Metadata: ProductName: Microsoft® Windows® Operating System OriginalFileName: wdnisdrv.sys InternalFileName: wdnisdrv.sys Company Name: Microsoft Corporation FileDescription: Windows Defender Network Stream Filter ProductVersion: 4.18.2109.6 Comments: LegalCopyright: © Microsoft Corporation. All rights reserved. LegalTrademarks:Matched Keyword: [defender]...
  • 查找匹配 EDR 关键字的服务

$ .\EDRHunt.exe -s
  • 查找匹配 EDR 关键字的驱动程序

$ .\EDRHunt.exe -d
  • 查找与 EDR 关键字匹配的注册表项

$ .\EDRHunt.exe -r

目前可用的 EDR 检测:

  • Windows Defender

  • Kaspersky Security

  • Symantec Security

  • Crowdstrike Security

  • Mcafee Security

  • Cylance Security

  • Carbon Black

  • SentinelOne

  • FireEye

https://github.com/FourCoreLabs/EDRHunt

如有侵权,请联系删除

推荐阅读

实战|记一次奇妙的文件上传getshell

「 超详细 | 分享 」手把手教你如何进行内网渗透

神兵利器 | siusiu-渗透工具管理套件

一款功能全面的XSS扫描器

实战 | 一次利用哥斯拉马绕过宝塔waf

BurpCrypto: 万能网站密码爆破测试工具

快速筛选真实IP并整理为C段 -- 棱眼

自动探测端口顺便爆破工具t14m4t

渗透工具|无状态子域名爆破工具(1秒扫160万个子域)

查看更多精彩内容,还请关注橘猫学安全:

每日坚持学习与分享,觉得文章对你有帮助可在底部给点个“再看

文章来源: http://mp.weixin.qq.com/s?__biz=Mzg5OTY2NjUxMw==&mid=2247497720&idx=1&sn=4d8d6bd6e8feb67be4298b9bb8214528&chksm=c04d70c6f73af9d072fbdb5199e0e9ff9553b4ea54b24005c27b5457c1a17127e1e5dffd2d70#rd
如有侵权请联系:admin#unsafe.sh