EDR-Recon scans Windows services, drivers, processes, registry for installed EDRs.

EDR-Recon

goreleaser

EDR-Recon scans Windows services, drivers, processes, registry for installed EDRs.

asciicast

Install

  • Binary

    • Download the latest release from the release section. Releases are built for windows/amd64.

  • Go

    • Requires Go to be installed on system. Tested on Go1.17+.
    • go install github.com/FourCoreLabs/edrRecon/cmd/edrRecon@master

Usage

  • Find installed EDRs
$ .\edrRecon.exe scan
[EDR]
Detected EDR: Windows Defender
Detected EDR: Kaspersky Security
  • Scan Everything
$ .\edrRecon.exe all
Running in user mode, escalate to admin for more details.
Scanning processes, services, drivers, and registry...
[PROCESSES]

Suspicious Process Name: MsMpEng.exe
Description: MsMpEng.exe
Caption: MsMpEng.exe
Binary:
ProcessID: 6764
Parent Process: 1148
Process CmdLine :
File Metadata:
Matched Keyword: [msmpeng]


Suspicious Process Name: NisSrv.exe
Description: NisSrv.exe
Caption: NisSrv.exe
Binary:
ProcessID: 9840
Parent Process: 1148
Process CmdLine :
File Metadata:
Matched Keyword: [nissrv]
...
  • Find processes matching EDR keywords
$ .\edrRecon.exe -p
Running in user mode, escalate to admin for more details.
[PROCESSES]

Suspicious Process Name: MsMpEng.exe
Description: MsMpEng.exe
Caption: MsMpEng.exe
Binary:
ProcessID: 6764
Parent Process: 1148
Process CmdLine :
File Metadata:
Matched Keyword: [msmpeng]


Suspicious Process Name: NisSrv.exe
Description: NisSrv.exe
Caption: NisSrv.exe
Binary:
ProcessID: 9840
Parent Process: 1148
Process CmdLine :
File Metadata:
Matched Keyword: [nissrv]


Suspicious Process Name: SecurityHealthService.exe
Description: SecurityHealthService.exe
Caption: SecurityHealthService.exe
Binary:
ProcessID: 13720
Parent Process: 1148
Process CmdLine :
File Metadata:
Matched Keyword: [securityhealthservice]
...
  • Find services matching EDR keywords
$ .\edrRecon.exe -s
  • Find drivers matching EDR keywords
$ .\edrRecon.exe -d
  • Find registry keys matching EDR keywords
$ .\edrRecon.exe -r

Detections

EDR Detections Currently Available

  • Windows Defender
  • Kaspersky Security

More to be added soon.

Owner
FourCore Labs
We are a security startup working on offensive security.
FourCore Labs
https://github.com/FourCoreLabs/edrRecon
Similar Resources

A Windows named pipe implementation written in pure Go.

npipe Package npipe provides a pure Go wrapper around Windows named pipes. Windows named pipe documentation: http://msdn.microsoft.com/en-us/library/w

Jan 1, 2023

Automatically spawn a reverse shell fully interactive for Linux or Windows victim

Automatically spawn a reverse shell fully interactive for Linux or Windows victim

Girsh (Golang Interactive Reverse SHell) Who didn't get bored of manually typing the few lines to upgrade a reverse shell to a full interactive revers

Dec 14, 2022

tidal discord rich presence for windows

tidal discord rich presence for windows

discordtidal Remember when Discord added a Spotify integration and all of your friends started having fun with it, but then being the weirdo you are,

Jan 2, 2023

Optimize Windows's network/NIC driver settings for NewTek's NDI(Network-Device-Interface).

windows-ndi-optimizer[WIP] Optimize Windows's network/NIC driver settings for NewTek's NDI(Network-Device-Interface). How it works This is batchfile d

Apr 15, 2022

🦄️ 🎃 👻 Clash Premium 规则集(RULE-SET),兼容 ClashX Pro、Clash for Windows 客户端。

简介 本项目生成适用于 Clash Premium 内核的规则集(RULE-SET),同时适用于所有使用 Clash Premium 内核的 Clash 图形用户界面(GUI)客户端。使用 GitHub Actions 北京时间每天早上 6:30 自动构建,保证规则最新。 说明 本项目规则集(RUL

Jan 3, 2023

Go wrapper around Device Console Windows tool.

go-devcon Go wrapper around the Windows Device Console (devcon.exe). go install github.com/mikerourke/go-devcon Introduction Here's a brief overview

Nov 4, 2021

Automatically update your Windows hosts file with the WSL2 VM IP address

Automatically update your Windows hosts file with the WSL2 VM IP address

Jan 9, 2023

Downloads the Windows 10 wallpapers provided by Microsoft.

microsoft-wallpapers Preparation Prepare an input file that contains a list of links from the Microsoft website that lead to wallpapers. This list is

Nov 29, 2021

A pair of local reverse proxies (one in Windows, one in Linux) for Tailscale on WSL2

tailscale-wsl2 TL;DR Running two reverse proxies (one in Windows, one in the WSL2 Linux VM), the Windows Tailscale daemon can be accessed via WSL2: $

Dec 9, 2022
Comments
  • Setup Obfuscation Tactic for EDRHunt constants. Garble, GoObfuscate fails to work properly.

    Setup Obfuscation Tactic for EDRHunt constants. Garble, GoObfuscate fails to work properly.

    Tried using garble and gobfuscate to obfuscate string constants to prevent detections.

    garble

    Compiles successfully with the -literals flag but EDRHunt fails to find correct system data somehow? As garble is obfuscating strings of all the dependencies it might happen that one of the libraries strings might be getting incorrectly obfuscated? Not sure.

  • refactor: pass errors via multierror, pass context in CheckRegistry

    refactor: pass errors via multierror, pass context in CheckRegistry

    • Pass errors via multierror so that they can be compared against err != nil instead of using errArray.
    • Pass context from source in CheckRegistry instead of using context.Background()
Related tags
Network edrRecon
A REST API for the DN42 registry, written in Go, to provide a bridge between interactive applications and the registry.

dn42regsrv A REST API for the DN42 registry, written in Go, to provide a bridge between interactive applications and registry data. A public instance

Apr 21, 2022
eBPF-based EDR for Linux

ebpf-edr A proof-of-concept eBPF-based EDR for Linux Seems to be working fine with the 20 basic rules implemented. Logs the alerts to stdout at the mo

Nov 9, 2022
Snugger is a light weight but fast network recon scanner that is written from pure golang
 Snugger is a light weight but fast network recon scanner that is written from pure golang

Snugger is a light weight but fast network recon scanner that is written from pure golang. with this scann you can ARP your network, port scan hosts and host lists, as well as scan for BSSId

May 19, 2022
Golang `net/rpc` over SSH using installed SSH program

Golang net/rpc over SSH using installed SSH program This package implements a helper functions to launch an RPC client and server. It uses the install

Nov 16, 2022
Run this bot on machine where your qbittorrent has been installed

Telegram bot for qbittorrent Run this bot on machine where your qbittorrent has been installed. Qbittorrent settings Activate Web Interface or use hea

Jan 13, 2022
Detect nmap TCP SYN scans (-sS) using gopacket in golang.

Setup Fetch dependencies using apt (PRs welcome for concise instructions for other package managers): sudo apt install libpcap-dev git clone https://

Apr 27, 2022
Scans a file or folder recursively for jar files that may be vulnerable to Log4Shell

Velocity A Minecraft server proxy with unparalleled server support, scalability, and flexibility. Velocity is licensed under the GPLv3 license. Goals

Jan 7, 2023
List running processes that are acting as DCE/RPC servers or clients

rpcls This project was made to assist in a larger research project. It pulls from a running process' PEB to enumerate the loaded DLLs. If a process im

Sep 14, 2022
A service registry and service discovery implemention for kitex based on etcd

kitex etcd Introduction kitexetcd is an implemention of service registry and service discovery for kitex based on etcd. Installation go get -u github.

Feb 18, 2022
Command-line tool and library for Windows remote command execution in Go

WinRM for Go Note: if you're looking for the winrm command-line tool, this has been splitted from this project and is available at winrm-cli This is a

Nov 29, 2022