EDR-Recon scans Windows services, drivers, processes, registry for installed EDRs.

Related tags

Network edrRecon
Overview

EDR-Recon

goreleaser

EDR-Recon scans Windows services, drivers, processes, registry for installed EDRs.

asciicast

Install

  • Binary

    • Download the latest release from the release section. Releases are built for windows/amd64.
  • Go

    • Requires Go to be installed on system. Tested on Go1.17+.
    • go install github.com/FourCoreLabs/edrRecon/cmd/[email protected]

Usage

  • Find installed EDRs
$ .\edrRecon.exe scan
[EDR]
Detected EDR: Windows Defender
Detected EDR: Kaspersky Security
  • Scan Everything
$ .\edrRecon.exe all
Running in user mode, escalate to admin for more details.
Scanning processes, services, drivers, and registry...
[PROCESSES]

Suspicious Process Name: MsMpEng.exe
Description: MsMpEng.exe
Caption: MsMpEng.exe
Binary:
ProcessID: 6764
Parent Process: 1148
Process CmdLine :
File Metadata:
Matched Keyword: [msmpeng]


Suspicious Process Name: NisSrv.exe
Description: NisSrv.exe
Caption: NisSrv.exe
Binary:
ProcessID: 9840
Parent Process: 1148
Process CmdLine :
File Metadata:
Matched Keyword: [nissrv]
...
  • Find processes matching EDR keywords
$ .\edrRecon.exe -p
Running in user mode, escalate to admin for more details.
[PROCESSES]

Suspicious Process Name: MsMpEng.exe
Description: MsMpEng.exe
Caption: MsMpEng.exe
Binary:
ProcessID: 6764
Parent Process: 1148
Process CmdLine :
File Metadata:
Matched Keyword: [msmpeng]


Suspicious Process Name: NisSrv.exe
Description: NisSrv.exe
Caption: NisSrv.exe
Binary:
ProcessID: 9840
Parent Process: 1148
Process CmdLine :
File Metadata:
Matched Keyword: [nissrv]


Suspicious Process Name: SecurityHealthService.exe
Description: SecurityHealthService.exe
Caption: SecurityHealthService.exe
Binary:
ProcessID: 13720
Parent Process: 1148
Process CmdLine :
File Metadata:
Matched Keyword: [securityhealthservice]
...
  • Find services matching EDR keywords
$ .\edrRecon.exe -s
  • Find drivers matching EDR keywords
$ .\edrRecon.exe -d
  • Find registry keys matching EDR keywords
$ .\edrRecon.exe -r

Detections

EDR Detections Currently Available

  • Windows Defender
  • Kaspersky Security

More to be added soon.

Issues
Releases(v1.3.4)
Owner
FourCore Labs
We are a security startup working on offensive security.
FourCore Labs
eBPF-based EDR for Linux

ebpf-edr A proof-of-concept eBPF-based EDR for Linux Seems to be working fine with the 20 basic rules implemented. Logs the alerts to stdout at the mo

null 15 Aug 3, 2022
A REST API for the DN42 registry, written in Go, to provide a bridge between interactive applications and the registry.

dn42regsrv A REST API for the DN42 registry, written in Go, to provide a bridge between interactive applications and registry data. A public instance

Simon Marsh 0 Apr 21, 2022
Snugger is a light weight but fast network recon scanner that is written from pure golang

Snugger is a light weight but fast network recon scanner that is written from pure golang. with this scann you can ARP your network, port scan hosts and host lists, as well as scan for BSSId

RE43P3R 2 May 19, 2022
Golang `net/rpc` over SSH using installed SSH program

Golang net/rpc over SSH using installed SSH program This package implements a helper functions to launch an RPC client and server. It uses the install

null 0 Nov 5, 2021
Run this bot on machine where your qbittorrent has been installed

Telegram bot for qbittorrent Run this bot on machine where your qbittorrent has been installed. Qbittorrent settings Activate Web Interface or use hea

Anton 0 Jan 13, 2022
Detect nmap TCP SYN scans (-sS) using gopacket in golang.

Setup Fetch dependencies using apt (PRs welcome for concise instructions for other package managers): sudo apt install libpcap-dev git clone https://

null 2 Apr 27, 2022
Scans a file or folder recursively for jar files that may be vulnerable to Log4Shell

Velocity A Minecraft server proxy with unparalleled server support, scalability, and flexibility. Velocity is licensed under the GPLv3 license. Goals

PaperMC 1.1k Aug 9, 2022
List running processes that are acting as DCE/RPC servers or clients

rpcls This project was made to assist in a larger research project. It pulls from a running process' PEB to enumerate the loaded DLLs. If a process im

Alex Flores 4 Apr 21, 2022
A service registry and service discovery implemention for kitex based on etcd

kitex etcd Introduction kitexetcd is an implemention of service registry and service discovery for kitex based on etcd. Installation go get -u github.

null 4 Feb 18, 2022
Command-line tool and library for Windows remote command execution in Go

WinRM for Go Note: if you're looking for the winrm command-line tool, this has been splitted from this project and is available at winrm-cli This is a

Brice Figureau 371 Aug 10, 2022
A Windows named pipe implementation written in pure Go.

npipe Package npipe provides a pure Go wrapper around Windows named pipes. Windows named pipe documentation: http://msdn.microsoft.com/en-us/library/w

Nate Finch 250 Aug 3, 2022
Automatically spawn a reverse shell fully interactive for Linux or Windows victim

Girsh (Golang Interactive Reverse SHell) Who didn't get bored of manually typing the few lines to upgrade a reverse shell to a full interactive revers

null 273 Aug 4, 2022
tidal discord rich presence for windows

discordtidal Remember when Discord added a Spotify integration and all of your friends started having fun with it, but then being the weirdo you are,

Nick 12 Jun 1, 2022
Optimize Windows's network/NIC driver settings for NewTek's NDI(Network-Device-Interface).

windows-ndi-optimizer[WIP] Optimize Windows's network/NIC driver settings for NewTek's NDI(Network-Device-Interface). How it works This is batchfile d

Nil Hiiragi 3 Apr 15, 2022
🦄️ 🎃 👻 Clash Premium 规则集(RULE-SET),兼容 ClashX Pro、Clash for Windows 客户端。

简介 本项目生成适用于 Clash Premium 内核的规则集(RULE-SET),同时适用于所有使用 Clash Premium 内核的 Clash 图形用户界面(GUI)客户端。使用 GitHub Actions 北京时间每天早上 6:30 自动构建,保证规则最新。 说明 本项目规则集(RUL

Loyalsoldier 5.4k Aug 9, 2022
Go wrapper around Device Console Windows tool.

go-devcon Go wrapper around the Windows Device Console (devcon.exe). go install github.com/mikerourke/go-devcon Introduction Here's a brief overview

Mike Rourke 0 Nov 4, 2021
Automatically update your Windows hosts file with the WSL2 VM IP address

Automatically update your Windows hosts file with the WSL2 VM IP address

null 1.3k Aug 8, 2022
Downloads the Windows 10 wallpapers provided by Microsoft.

microsoft-wallpapers Preparation Prepare an input file that contains a list of links from the Microsoft website that lead to wallpapers. This list is

River Wooley 0 Nov 29, 2021
A pair of local reverse proxies (one in Windows, one in Linux) for Tailscale on WSL2

tailscale-wsl2 TL;DR Running two reverse proxies (one in Windows, one in the WSL2 Linux VM), the Windows Tailscale daemon can be accessed via WSL2: $

Danny Hermes 25 Aug 10, 2022