Kali Linux

EDRHunt : Scan Installed EDRs And AVs On Windows

EDRHunt scans Windows services, drivers, processes, registry for installed EDRs (Endpoint Detection And Response). Read more about EDRHunt

Install

  • Binary
    • Download the latest release from the release section. Releases are built for windows/amd64.
  • Go
    • Requires Go to be installed on system. Tested on Go1.17+.
    • go install github.com/FourCoreLabs/EDRHunt/cmd/EDRHunt@master

Usage

  • Find installed EDRs

$ .\EDRHunt.exe scan
[EDR]
Detected EDR: Windows Defender
Detected EDR: Kaspersky Security

Scan Everything

$ .\EDRHunt.exe all
Running in user mode, escalate to admin for more details.
Scanning processes, services, drivers, and registry…
[PROCESSES]
Suspicious Process Name: MsMpEng.exe
Description: MsMpEng.exe
Caption: MsMpEng.exe
Binary:
ProcessID: 6764
Parent Process: 1148
Process CmdLine :
File Metadata:
Matched Keyword: [msmpeng]
Suspicious Process Name: NisSrv.exe
Description: NisSrv.exe
Caption: NisSrv.exe
Binary:
ProcessID: 9840
Parent Process: 1148
Process CmdLine :
File Metadata:
Matched
Keyword: [nissrv]

Find drivers matching EDR keywords

/ / _ \/ _ \ / / / / / / / | / / / / / / / / / // / / // / / / / |/ / / /
/ /
/ // / , / / _ / // / /| / / / //// || // //___// |/ /_/
FourCore Labs (https://fourcore.vision) | Version: 1.1
Running in user mode, escalate to admin for more details.
[DRIVERS]
Suspicious Driver Module: WdFilter.sys
Driver FilePath: c:\windows\system32\drivers\wd\wdfilter.sys
Driver File Metadata:
ProductName: Microsoft® Windows® Operating System
OriginalFileName: WdFilter.sys
InternalFileName: WdFilter
Company Name: Microsoft Corporation
FileDescription: Microsoft antimalware file system filter driver
ProductVersion: 4.18.2109.6
Comments:
LegalCopyright: © Microsoft Corporation. All rights reserved.
LegalTrademarks:
Matched Keyword: [antimalware malware]
Suspicious Driver Module: hvsifltr.sys
Driver FilePath: c:\windows\system32\drivers\hvsifltr.sys
Driver File Metadata:
ProductName: Microsoft® Windows® Operating System
OriginalFileName: hvsifltr.sys.mui
InternalFileName: hvsifltr.sys
Company Name: Microsoft Corporation
FileDescription: Microsoft Defender Application Guard Filter Driver
ProductVersion: 10.0.19041.1
Comments:
LegalCopyright: © Microsoft Corporation. All rights reserved.
LegalTrademarks:
Matched Keyword: [defender]
Suspicious Driver Module: WdNisDrv.sys
Driver FilePath: c:\windows\system32\drivers\wd\wdnisdrv.sys
Driver File Metadata:
ProductName: Microsoft® Windows® Operating System
OriginalFileName: wdnisdrv.sys
InternalFileName: wdnisdrv.sys
Company Name: Microsoft Corporation
FileDescription: Windows Defender Network Stream Filter
ProductVersion: 4.18.2109.6
Comments:
LegalCopyright: © Microsoft Corporation. All rights reserved.
LegalTrademarks:
Matched Keyword: [defender]

Detections

EDR Detections Currently Available

  • Windows Defender
  • Kaspersky Security
  • Symantec Security
  • Crowdstrike Security
  • Mcafee Security
  • Cylance Security
  • Carbon Black
  • SentinelOne
  • FireEye
  • Elastic EDR

More to be added soon

R K

Recent Posts

Bomber : Navigating Security Vulnerabilities In SBOMs

bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…

13 hours ago

EmbedPayloadInPng : A Guide To Embedding And Extracting Encrypted Payloads In PNG Files

Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…

13 hours ago

Exploit Street – Navigating The New Terrain Of Windows LPEs

Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…

3 days ago

ShadowDumper – Advanced Techniques For LSASS Memory Extraction

Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…

3 days ago

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

2 weeks ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

3 weeks ago