渗透利器EDRHunt(附下载地址)

admin 2022年5月30日17:57:15评论100 views字数 2584阅读8分36秒阅读模式

EDRHunt 扫描 Windows 服务、驱动程序、进程、注册表以查找已安装的 EDR(端点检测和响应)。


渗透利器EDRHunt(附下载地址)

安装

    • 从发布部分下载最新版本。发行版是为 windows/amd64 构建的。

  • GO安装

    • 需要在系统上安装 Go1.17+ 。

    • go install github.com/FourCoreLabs/EDRHunt/cmd/EDRHunt@master

用法

  • 查找已安装的 EDR

$ .EDRHunt.exe scan[EDR]Detected EDR: Windows DefenderDetected EDR: Kaspersky Security


  • 扫描全部

$ .EDRHunt.exe allRunning in user mode, escalate to admin for more details.Scanning processes, services, drivers, and registry...[PROCESSES]
Suspicious Process Name: MsMpEng.exeDescription: MsMpEng.exeCaption: MsMpEng.exeBinary:ProcessID: 6764Parent Process: 1148Process CmdLine :File Metadata:Matched Keyword: [msmpeng]

Suspicious Process Name: NisSrv.exeDescription: NisSrv.exeCaption: NisSrv.exeBinary:ProcessID: 9840Parent Process: 1148Process CmdLine :File Metadata:Matched Keyword: [nissrv]...


  • 查找匹配 EDR 关键字的驱动程序

    __________  ____     __  ____  ___   ________   / ____/ __ / __    / / / / / / / | / /_  __/  / __/ / / / / /_/ /  / /_/ / / / /  |/ / / / / /___/ /_/ / _, _/  / __  / /_/ / /|  / / //_____/_____/_/ |_|  /_/ /_/____/_/ |_/ /_/
FourCore Labs (https://fourcore.vision) | Version: 1.1
Running in user mode, escalate to admin for more details.[DRIVERS]Suspicious Driver Module: WdFilter.sysDriver FilePath: c:windowssystem32driverswdwdfilter.sysDriver File Metadata: ProductName: Microsoft® Windows® Operating System OriginalFileName: WdFilter.sys InternalFileName: WdFilter Company Name: Microsoft Corporation FileDescription: Microsoft antimalware file system filter driver ProductVersion: 4.18.2109.6 Comments: LegalCopyright: © Microsoft Corporation. All rights reserved. LegalTrademarks:Matched Keyword: [antimalware malware]
Suspicious Driver Module: hvsifltr.sysDriver FilePath: c:windowssystem32drivershvsifltr.sysDriver File Metadata: ProductName: Microsoft® Windows® Operating System OriginalFileName: hvsifltr.sys.mui InternalFileName: hvsifltr.sys Company Name: Microsoft Corporation FileDescription: Microsoft Defender Application Guard Filter Driver ProductVersion: 10.0.19041.1 Comments: LegalCopyright: © Microsoft Corporation. All rights reserved. LegalTrademarks:Matched Keyword: [defender]
Suspicious Driver Module: WdNisDrv.sysDriver FilePath: c:windowssystem32driverswdwdnisdrv.sysDriver File Metadata: ProductName: Microsoft® Windows® Operating System OriginalFileName: wdnisdrv.sys InternalFileName: wdnisdrv.sys Company Name: Microsoft Corporation FileDescription: Windows Defender Network Stream Filter ProductVersion: 4.18.2109.6 Comments: LegalCopyright: © Microsoft Corporation. All rights reserved. LegalTrademarks:Matched Keyword: [defender]...


  • 查找匹配 EDR 关键字的服务

$ .EDRHunt.exe -s
  • 查找匹配 EDR 关键字的驱动程序

$ .EDRHunt.exe -d
  • 查找与 EDR 关键字匹配的注册表项

$ .EDRHunt.exe -r


目前可用的 EDR 检测:


  • Windows Defender

  • Kaspersky Security

  • Symantec Security

  • Crowdstrike Security

  • Mcafee Security

  • Cylance Security

  • Carbon Black

  • SentinelOne

  • FireEye

下载地址:https://github.com/FourCoreLabs/EDRHunt


原文始发于微信公众号(菜鸟学安全):渗透利器EDRHunt(附下载地址)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年5月30日17:57:15
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   渗透利器EDRHunt(附下载地址)http://cn-sec.com/archives/1065573.html

发表评论

匿名网友 填写信息