Golang port of SharpEDRChecker: EDRHunt

EDRHunt

goreleaser

EDRHunt scans Windows services, drivers, processes, registry for installed EDRs.

asciicast

Install

  • Binary

    • Download the latest release from the release section. Releases are built for windows/amd64.

  • Go

    • Requires Go to be installed on system. Tested on Go1.17+.
    • go install github.com/FourCoreLabs/EDRHunt/cmd/EDRHunt@master

Usage

  • Find installed EDRs
$ .\EDRHunt.exe scan
[EDR]
Detected EDR: Windows Defender
Detected EDR: Kaspersky Security
  • Scan Everything
$ .\EDRHunt.exe all
Running in user mode, escalate to admin for more details.
Scanning processes, services, drivers, and registry...
[PROCESSES]

Suspicious Process Name: MsMpEng.exe
Description: MsMpEng.exe
Caption: MsMpEng.exe
Binary:
ProcessID: 6764
Parent Process: 1148
Process CmdLine :
File Metadata:
Matched Keyword: [msmpeng]


Suspicious Process Name: NisSrv.exe
Description: NisSrv.exe
Caption: NisSrv.exe
Binary:
ProcessID: 9840
Parent Process: 1148
Process CmdLine :
File Metadata:
Matched Keyword: [nissrv]
...
  • Find processes matching EDR keywords
$ .\EDRHunt.exe -p
Running in user mode, escalate to admin for more details.
[PROCESSES]

Suspicious Process Name: MsMpEng.exe
Description: MsMpEng.exe
Caption: MsMpEng.exe
Binary:
ProcessID: 6764
Parent Process: 1148
Process CmdLine :
File Metadata:
Matched Keyword: [msmpeng]


Suspicious Process Name: NisSrv.exe
Description: NisSrv.exe
Caption: NisSrv.exe
Binary:
ProcessID: 9840
Parent Process: 1148
Process CmdLine :
File Metadata:
Matched Keyword: [nissrv]


Suspicious Process Name: SecurityHealthService.exe
Description: SecurityHealthService.exe
Caption: SecurityHealthService.exe
Binary:
ProcessID: 13720
Parent Process: 1148
Process CmdLine :
File Metadata:
Matched Keyword: [securityhealthservice]
...
  • Find services matching EDR keywords
$ .\EDRHunt.exe -s
  • Find drivers matching EDR keywords
$ .\EDRHunt.exe -d
  • Find registry keys matching EDR keywords
$ .\EDRHunt.exe -r

Detections

EDR Detections Currently Available

  • Windows Defender
  • Kaspersky Security
  • Symantec Security
  • Crowdstrike Security
  • Mcafee Security
  • Cylance Security
  • Carbon Black
  • SentinelOne
  • FireEye

More to be added soon.

Community

Would appreciate if you ran EDRHunt on your own deployments and test the detections! Thanks.

Owner
FourCore Labs
We are a security startup working on offensive security.
FourCore Labs
https://github.com/FourCoreLabs/EDRHunt
Similar Resources

Portmantool - Port scanning and monitoring tool

portmantool Port scanning and monitoring tool Components runner while true do r

Feb 14, 2022

A probably paranoid Golang utility library for securely hashing and encrypting passwords based on the Dropbox method. This implementation uses Blake2b, Scrypt and XSalsa20-Poly1305 (via NaCl SecretBox) to create secure password hashes that are also encrypted using a master passphrase.

goSecretBoxPassword This is a Golang library for securing passwords it is based on the Dropbox method for password storage. The both passphrases are f

Jan 3, 2023

:key: Idiotproof golang password validation library inspired by Python's passlib

passlib for go Python's passlib is quite an amazing library. I'm not sure there's a password library in existence with more thought put into it, or wi

Dec 30, 2022

An easy-to-use XChaCha20-encryption wrapper for io.ReadWriteCloser (even lossy UDP) using ECDH key exchange algorithm, ED25519 signatures and Blake3+Poly1305 checksums/message-authentication for Go (golang). Also a multiplexer.

Quick start Prepare keys (on both sides): [ -f ~/.ssh/id_ed25519 ] && [ -f ~/.ssh/id_ed25519.pub ] || ssh-keygen -t ed25519 scp ~/.ssh/id_ed25519.pub

Dec 30, 2022

An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Jan 6, 2023

A template for creating new Golang + Docker + Canonical Domain + Badges + Renovate + Golangci + Goreleaser + CircleCI + ...

A template for creating new Golang + Docker + Canonical Domain + Badges + Renovate + Golangci + Goreleaser + CircleCI + ...

golang-repo-template 😄 golang-repo-template Usage foo@bar:~$ golang-repo-template hello world _

Dec 29, 2022

Build awesome Golang desktop apps and beautiful interfaces with Vue.js, React.js, Framework 7, and more...

Build awesome Golang desktop apps and beautiful interfaces with Vue.js, React.js, Framework 7, and more...

Guark Guark allows you to build beautiful user interfaces using modern web technologies such as Vue.js, React.js..., while your app logic handled and

Jan 1, 2023

A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index

A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index

Nancy nancy is a tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index, and as well, works with Nexus IQ Server

Dec 22, 2022

🌘🦊 DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang

🌘🦊 DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang

Finder Of XSS, and Dal(달) is the Korean pronunciation of moon. What is DalFox 🌘 🦊 DalFox is a fast, powerful parameter analysis and XSS scanner, bas

Jan 5, 2023
Comments
  • Setup Obfuscation Tactic for EDRHunt constants. Garble, GoObfuscate fails to work properly.

    Setup Obfuscation Tactic for EDRHunt constants. Garble, GoObfuscate fails to work properly.

    Tried using garble and gobfuscate to obfuscate string constants to prevent detections.

    garble

    Compiles successfully with the -literals flag but EDRHunt fails to find correct system data somehow? As garble is obfuscating strings of all the dependencies it might happen that one of the libraries strings might be getting incorrectly obfuscated? Not sure.

  • refactor: pass errors via multierror, pass context in CheckRegistry

    refactor: pass errors via multierror, pass context in CheckRegistry

    • Pass errors via multierror so that they can be compared against err != nil instead of using errArray.
    • Pass context from source in CheckRegistry instead of using context.Background()
Related tags
Security security infosec security-tools
Vishnu - Golang port-knocking PoC

Vishnu(The Hidden Backdoor) Taken from the Trimurit, the triple deity of supreme

Nov 9, 2022
Golang Port Knocking for Linux + Windows

Vishnu(The Hidden Backdoor) RS{JOIN_REDTEAM} Taken from the Trimurit, the triple deity of supreme divinity. Vishnu is known as "The Preserver". This p

Nov 9, 2022
A port scan and service weakpass brute tool build by golang.
 A port scan and service weakpass brute tool build by golang.

A port scan and service weakpass brute tool build by golang.

Jan 5, 2023
A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests
 A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple to

Dec 31, 2022
MX1014 is a flexible, lightweight and fast port scanner.

MX1014 MX1014 是一个遵循 “短平快” 原则的灵活、轻便和快速端口扫描器 此工具仅限于安全研究和教学,用户承担因使用此工具而导致的所有法律和相关责任! 作者不承担任何法律和相关责任! Version 1.1.1 - 版本修改日志 Features 兼容 nmap 的端口和目标语法 支持各

Dec 19, 2022
A simple port scanner script.
 A simple port scanner script.

A-simple-port-scanner Description: A basic port scanner which checks if a port is opened, closed, or filtered. This scanner can be improved in many wa

Dec 18, 2021
Health-go - Web based app for health tracking and monitoring (Go port)

Health Web based app for health tracking and monitoring. Work in progress. Installation Clone the repository: git clone [email protected]:jonathantorr

Dec 31, 2021
Naabu - a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner
 Naabu - a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple tool that does fast SYN/CONNECT scans on the host/list of hosts and lists all ports that return a reply.

Jan 2, 2022
Go-basic-port-scanner: Scanning of TCP ports only
 Go-basic-port-scanner: Scanning of TCP ports only

go-basic-port-scanner Scanning of TCP ports only. Usage git clone https://git

Jan 22, 2022
This is simple repositry use to detect which port is open. It is a custom tool built in GO LANG.

dynamic-port-scanning-in-GO-lang This is simple repositry use to detect which port is open. It is a custom tool built in GO LANG. This is CUSTOM tool

Jan 25, 2022