Home / Unlabelled / EDRHunt - Scan Installed EDRs And AVs On Windows

EDRHunt - Scan Installed EDRs And AVs On Windows


EDRHunt scans Windows services, drivers, processes, registry for installed EDRs (Endpoint Detection And Response). Read more about EDRHunt here.


Install

  • Binary

    • Download the latest release from the release section. Releases are built for windows/amd64.

  • Go

    • Requires Go to be installed on system. Tested on Go1.17+.
    • go install github.com/FourCoreLabs/EDRHunt/cmd/[email protected]

Usage

  • Find installed EDRs
$ .\EDRHunt.exe scan[EDR]Detected EDR: Windows DefenderDetected EDR: Kaspersky Security
  • Scan Everything
$ .\EDRHunt.exe allRunning in user mode, escalate to admin for more details.Scanning processes, services, drivers, and registry...[PROCESSES]Suspicious Process Name: MsMpEng.exeDescription: MsMpEng.exeCaption: MsMpEng.exeBinary:ProcessID: 6764Parent Process: 1148Process CmdLine :File Metadata:Matched Keyword: [msmpeng]Suspicious Process Name: NisSrv.exeDescription: NisSrv.exeCaption: NisSrv.exeBinary:ProcessID: 9840Parent Process: 1148Process CmdLine :File Metadata:Matched Keyword: [nissrv]...
  • Find drivers matching EDR keywords
Microsoft Corporation FileDescription: Microsoft antimalware file system filter driver ProductVersion: 4.18.2109.6 Comments: LegalCopyright: © Microsoft Corporation. All rights reserved. LegalTrademarks: Matched Keyword: [antimalware malware] Suspicious Driver Module: hvsifltr.sys Driver FilePath: c:\windows\system32\drivers\hvsifltr.sys Driver File Metadata: ProductName: Microsoft® Windows® Operating System OriginalFileName: hvsifltr.sys.mui InternalFileName: hvsifltr.sys Company Name: Microsoft Corporation FileDescription: Microsoft Defender Application Guard Filter Driver ProductVersion: 10.0.19041.1 Comments: LegalCopyright: © Microsoft Corporation. All rights reserved. LegalTrademarks: Matched Keyword: [defender] Suspicious Driver Module: WdNisDrv.sys Driver FilePath: c:\windows\system32\drivers\wd\wdnisdrv.sys Driver File Metadata: ProductName: Microsoft® Windows® Operating System OriginalFileName: wdnisdrv.sys InternalFileName: wdnisdrv.sys Company Name: Microsoft Corporation FileDescription: Windows Defender Network Stream Filter ProductVersion: 4.18.2109.6 Comments: LegalCopyright: © Microsoft Corporation. All rights reserved. LegalTrademarks: Matched Keyword: [defender] ...">
    __________  ____     __  ____  ___   ________   / ____/ __ \/ __ \   / / / / / / / | / /_  __/  / __/ / / / / /_/ /  / /_/ / / / /  |/ / / / / /___/ /_/ / _, _/  / __  / /_/ / /|  / / //_____/_____/_/ |_|  /_/ /_/\____/_/ |_/ /_/FourCore Labs (https://fourcore.vision) | Version: 1.1Running in user mode, escalate to admin for more details.[DRIVERS]Suspicious Driver Module: WdFilter.sysDriver FilePath: c:\windows\system32\drivers\wd\wdfilter.sysDriver File Metadata:        ProductName: Microsoft® Windows® Operating System        OriginalFileName: WdFilter.sys        InternalFileName: WdFilter        Company Name: Microsoft Corporation        FileDescription: Microsoft antimalware file system filter driver        ProductVersion: 4.18.2109.6        Comments:        LegalCopyright: © Microsoft Corporation. All rights reserved.        LegalTrademark   s:Matched Keyword: [antimalware malware]Suspicious Driver Module: hvsifltr.sysDriver FilePath: c:\windows\system32\drivers\hvsifltr.sysDriver File Metadata:        ProductName: Microsoft® Windows® Operating System        OriginalFileName: hvsifltr.sys.mui        InternalFileName: hvsifltr.sys        Company Name: Microsoft Corporation        FileDescription: Microsoft Defender Application Guard Filter Driver        ProductVersion: 10.0.19041.1        Comments:        LegalCopyright: © Microsoft Corporation. All rights reserved.        LegalTrademarks:Matched Keyword: [defender]Suspicious Driver Module: WdNisDrv.sysDriver FilePath: c:\windows\system32\drivers\wd\wdnisdrv.sysDriver File Metadata:        ProductName: Microsoft® Windows® Operating System        OriginalFileName: wdnisdrv.sys        InternalFileName: wdnisdrv.sys        Company Name:    Microsoft Corporation        FileDescription: Windows Defender Network Stream Filter        ProductVersion: 4.18.2109.6        Comments:        LegalCopyright: © Microsoft Corporation. All rights reserved.        LegalTrademarks:Matched Keyword: [defender]...
  • Find services matching EDR keywords
$ .\EDRHunt.exe -s
  • Find drivers matching EDR keywords
$ .\EDRHunt.exe -d
  • Find registry keys matching EDR keywords
$ .\EDRHunt.exe -r

Detections

EDR Detections Currently Available

  • Windows Defender
  • Kaspersky Security
  • Symantec Security
  • Crowdstrike Security
  • Mcafee Security
  • Cylance Security
  • Carbon Black
  • SentinelOne
  • FireEye
  • Elastic EDR

More to be added soon.

Community

Would appreciate if you ran EDRHunt on your own deployments and test the detections! Thanks.




Via: www.kitploit.com
EDRHunt - Scan Installed EDRs And AVs On Windows EDRHunt - Scan Installed EDRs And AVs On Windows Reviewed by Anónimo on 17:34 Rating: 5

Tags