####################
免责声明:工具本身并无好坏,希望大家以遵守《网络安全法》相关法律为前提来使用该工具,支持研究学习,切勿用于非法犯罪活动,对于恶意使用该工具造成的损失,和本人及开发者无关。
####################
EDRHunt 扫描 Windows 服务、驱动程序、进程、注册表以查找已安装的 EDR(端点检测和响应)。
安装
-
从发布部分下载最新版本。发行版是为 windows/amd64 构建的。
-
从发布部分下载最新版本。发行版是为 windows/amd64 构建的。
-
GO安装
-
需要在系统上安装 Go1.17+ 。
-
go install github.com/FourCoreLabs/EDRHunt/cmd/EDRHunt@master
用法
-
查找已安装的 EDR
$ .EDRHunt.exe scan[EDR]Detected EDR: Windows Defender
Detected EDR: Kaspersky Security复制
-
扫描全部
$ .EDRHunt.exe all
Running in user mode, escalate to admin for more details.Scanning processes, services, drivers, and registry...[PROCESSES]Suspicious Process Name: MsMpEng.exeDescription: MsMpEng.exeCaption: MsMpEng.exeBinary:ProcessID: 6764Parent Process: 1148Process CmdLine :File Metadata:Matched Keyword: [msmpeng]Suspicious Process Name: NisSrv.exeDescription: NisSrv.exeCaption: NisSrv.exeBinary:ProcessID: 9840Parent Process: 1148Process CmdLine :File Metadata:Matched Keyword: [nissrv]...复制
-
查找匹配 EDR 关键字的驱动程序
__________ ____ __ ____ ___ ________ / ____/ __ / __ / / / / / / / | / /_ __/
/ __/ / / / / /_/ / / /_/ / / / / |/ / / /
/ /___/ /_/ / _, _/ / __ / /_/ / /| / / //_____/_____/_/ |_| /_/ /_/____/_/ |_/ /_/FourCore Labs (https://fourcore.vision) | Version: 1.1Running in user mode, escalate to admin for more details.[DRIVERS]Suspicious Driver Module: WdFilter.sys
Driver FilePath: c:windowssystem32driverswdwdfilter.sys
Driver File Metadata:
ProductName: Microsoft® Windows® Operating System OriginalFileName: WdFilter.sys InternalFileName: WdFilter
Company Name: Microsoft Corporation FileDescription: Microsoft antimalware file system filter driver ProductVersion: 4.18.2109.6
Comments:
LegalCopyright: © Microsoft Corporation. All rights reserved.
LegalTrademarks:Matched Keyword: [antimalware malware]Suspicious Driver Module: hvsifltr.sys
Driver FilePath: c:windowssystem32drivershvsifltr.sys
Driver File Metadata:
ProductName: Microsoft® Windows® Operating System OriginalFileName: hvsifltr.sys.mui InternalFileName: hvsifltr.sys
Company Name: Microsoft Corporation FileDescription: Microsoft Defender Application Guard Filter Driver ProductVersion: 10.0.19041.1
Comments:
LegalCopyright: © Microsoft Corporation. All rights reserved.
LegalTrademarks:Matched Keyword: [defender]Suspicious Driver Module: WdNisDrv.sys
Driver FilePath: c:windowssystem32driverswdwdnisdrv.sys
Driver File Metadata:
ProductName: Microsoft® Windows® Operating System OriginalFileName: wdnisdrv.sys InternalFileName: wdnisdrv.sys
Company Name: Microsoft Corporation FileDescription: Windows Defender Network Stream Filter ProductVersion: 4.18.2109.6
Comments:
LegalCopyright: © Microsoft Corporation. All rights reserved.
LegalTrademarks:Matched Keyword: [defender]...复制
-
查找匹配 EDR 关键字的服务
$ .EDRHunt.exe -s复制
-
查找匹配 EDR 关键字的驱动程序
$ .EDRHunt.exe -d复制
-
查找与 EDR 关键字匹配的注册表项
$ .EDRHunt.exe -r复制
目前可用的 EDR 检测:
-
Windows Defender
-
Kaspersky Security
-
Symantec Security
-
Crowdstrike Security
-
Mcafee Security
-
Cylance Security
-
Carbon Black
-
SentinelOne
-
FireEye
https://github.com/FourCoreLabs/EDRHunt
原文始发于微信公众号(菜鸟小新):EDRHunt
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论