神兵利器 - EDRHunt
2023-04-18 14:56:55 时间
EDRHunt 扫描 Windows 服务、驱动程序、进程、注册表以查找已安装的 EDR(端点检测和响应)。
安装- 从发布部分下载最新版本。发行版是为 windows/amd64 构建的。
- GO安装
- 需要在系统上安装 Go1.17+ 。
go install github.com/FourCoreLabs/EDRHunt/cmd/EDRHunt@master
用法
- 查找已安装的 EDR
$ .EDRHunt.exe scan
[EDR]
Detected EDR: Windows Defender
Detected EDR: Kaspersky Security
- 扫描全部
$ .EDRHunt.exe all
Running in user mode, escalate to admin for more details.
Scanning processes, services, drivers, and registry...
[PROCESSES]
Suspicious Process Name: MsMpEng.exe
Description: MsMpEng.exe
Caption: MsMpEng.exe
Binary:
ProcessID: 6764
Parent Process: 1148
Process CmdLine :
File Metadata:
Matched Keyword: [msmpeng]
Suspicious Process Name: NisSrv.exe
Description: NisSrv.exe
Caption: NisSrv.exe
Binary:
ProcessID: 9840
Parent Process: 1148
Process CmdLine :
File Metadata:
Matched Keyword: [nissrv]
...
- 查找匹配 EDR 关键字的驱动程序
__________ ____ __ ____ ___ ________
/ ____/ __ / __ / / / / / / / | / /_ __/
/ __/ / / / / /_/ / / /_/ / / / / |/ / / /
/ /___/ /_/ / _, _/ / __ / /_/ / /| / / /
/_____/_____/_/ |_| /_/ /_/\____/_/ |_/ /_/
FourCore Labs (https://fourcore.vision) | Version: 1.1
Running in user mode, escalate to admin for more details.
[DRIVERS]
Suspicious Driver Module: WdFilter.sys
Driver FilePath: c:windowssystem32driverswdwdfilter.sys
Driver File Metadata:
ProductName: Microsoft® Windows® Operating System
OriginalFileName: WdFilter.sys
InternalFileName: WdFilter
Company Name: Microsoft Corporation
FileDescription: Microsoft antimalware file system filter driver
ProductVersion: 4.18.2109.6
Comments:
LegalCopyright: © Microsoft Corporation. All rights reserved.
LegalTrademarks:
Matched Keyword: [antimalware malware]
Suspicious Driver Module: hvsifltr.sys
Driver FilePath: c:windowssystem32drivershvsifltr.sys
Driver File Metadata:
ProductName: Microsoft® Windows® Operating System
OriginalFileName: hvsifltr.sys.mui
InternalFileName: hvsifltr.sys
Company Name: Microsoft Corporation
FileDescription: Microsoft Defender Application Guard Filter Driver
ProductVersion: 10.0.19041.1
Comments:
LegalCopyright: © Microsoft Corporation. All rights reserved.
LegalTrademarks:
Matched Keyword: [defender]
Suspicious Driver Module: WdNisDrv.sys
Driver FilePath: c:windowssystem32driverswdwdnisdrv.sys
Driver File Metadata:
ProductName: Microsoft® Windows® Operating System
OriginalFileName: wdnisdrv.sys
InternalFileName: wdnisdrv.sys
Company Name: Microsoft Corporation
FileDescription: Windows Defender Network Stream Filter
ProductVersion: 4.18.2109.6
Comments:
LegalCopyright: © Microsoft Corporation. All rights reserved.
LegalTrademarks:
Matched Keyword: [defender]
...
- 查找匹配 EDR 关键字的服务
$ .EDRHunt.exe -s
- 查找匹配 EDR 关键字的驱动程序
$ .EDRHunt.exe -d
- 查找与 EDR 关键字匹配的注册表项
$ .EDRHunt.exe -r
目前可用的 EDR 检测:
- Windows Defender
- Kaspersky Security
- Symantec Security
- Crowdstrike Security
- Mcafee Security
- Cylance Security
- Carbon Black
- SentinelOne
- FireEye
https://github.com/FourCoreLabs/EDRHunt
相关文章
- 如何启动SQL Server实例(sqlservr.exe)
- IBM BAO助箭牌中国精准预测尝“甜”头
- 如何安装SQL Server 2008 R2(安装程序)
- 如何在SQL Server 2005中为安装程序增加计数器注册表项值
- 如何解决SQL Server安装程序中的COM+系统配置检查失败问题
- 安装SQL Server 2008 R2的硬件和软件要求
- 领域备注:准备好您的修补策略
- 详解Cassandra0.7的配置文件
- Sybase批量操作的实现
- AI 大战 AI,一个深度强化学习多智能体竞赛系统
- 自己动手从零写桌面操作系统GrapeOS系列教程——10.NASM汇编
- 简易的工厂设计模式
- 《爆肝整理》保姆级系列教程-玩转Charles抓包神器教程(10)-Charles如何修改请求参数和响应数据-下篇
- JavaMail 邮件发送,有意思的附件名乱码 → 客户端正常,web端乱码
- 「降本」有可能,「增效」不确定
- 配运基础数据缓存瘦身实践
- 我的十年编程路 2018篇
- new bing功能使用
- 【数据结构与算法学习】线性表(顺序表、单链表、双向链表、循环链表)
- C++11 thread_local关键字