{"id":13842142,"url":"https://github.com/FourCoreLabs/EDRHunt","last_synced_at":"2025-07-11T14:30:48.233Z","repository":{"id":45532655,"uuid":"408582510","full_name":"FourCoreLabs/EDRHunt","owner":"FourCoreLabs","description":"Scan installed EDRs and AVs on Windows","archived":false,"fork":false,"pushed_at":"2023-09-14T04:50:10.000Z","size":2602,"stargazers_count":551,"open_issues_count":1,"forks_count":83,"subscribers_count":14,"default_branch":"master","last_synced_at":"2024-08-05T17:30:40.389Z","etag":null,"topics":["infosec","security","security-tools"],"latest_commit_sha":null,"homepage":"https://www.fourcore.io/blogs/red-team-adventure-windows-endpoints-edr-edrhunt","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/FourCoreLabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-09-20T19:57:47.000Z","updated_at":"2024-07-30T11:54:21.000Z","dependencies_parsed_at":"2024-06-18T16:50:48.984Z","dependency_job_id":null,"html_url":"https://github.com/FourCoreLabs/EDRHunt","commit_stats":null,"previous_names":["fourcorelabs/edrrecon"],"tags_count":17,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FourCoreLabs%2FEDRHunt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FourCoreLabs%2FEDRHunt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FourCoreLabs%2FEDRHunt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FourCoreLabs%2FEDRHunt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/FourCoreLabs","download_url":"https://codeload.github.com/FourCoreLabs/EDRHunt/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225729869,"owners_count":17515180,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["infosec","security","security-tools"],"created_at":"2024-08-04T17:01:28.021Z","updated_at":"2024-11-21T12:30:56.873Z","avatar_url":"https://github.com/FourCoreLabs.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# EDRHunt\n\n[![goreleaser](https://github.com/fourcorelabs/edrhunt/actions/workflows/goreleaser.yml/badge.svg)](https://github.com/fourcorelabs/edrhunt/actions/workflows/goreleaser.yml)\n\nEDRHunt scans Windows services, drivers, processes, registry, wmi for installed EDRs (Endpoint Detection And Response). Read more about EDRHunt [here](https://www.fourcore.vision/blogs/red-team-adventure-windows-endpoints-edr-edrhunt).\n\n[![asciicast](https://asciinema.org/a/P8i99w9mI497qUPTNbdwYWcwQ.svg)](https://asciinema.org/a/P8i99w9mI497qUPTNbdwYWcwQ)\n\n## Install\n\n- Binary\n  - Download the latest release from the release section. Releases are built for windows/amd64.\n\n- Go\n  - Requires Go to be installed on system. Tested on Go1.17+.\n  - `go install github.com/fourcorelabs/edrhunt/cmd/EDRHunt@master`\n\n## Usage\n\n- Find installed EDRs\n\n```\n$ .\\EDRHunt.exe scan\n[EDR]\nDetected EDR: Windows Defender\nDetected EDR: Kaspersky Security\n```\n\n- Scan Everything\n```\n$ .\\EDRHunt.exe all\nRunning in user mode, escalate to admin for more details.\nScanning processes, services, drivers, wmi, and registry...\n[PROCESSES]\n\nSuspicious Process Name: MsMpEng.exe\nDescription: MsMpEng.exe\nCaption: MsMpEng.exe\nBinary:\nProcessID: 6764\nParent Process: 1148\nProcess CmdLine :\nFile Metadata:\nMatched Keyword: [msmpeng]\n\n\nSuspicious Process Name: NisSrv.exe\nDescription: NisSrv.exe\nCaption: NisSrv.exe\nBinary:\nProcessID: 9840\nParent Process: 1148\nProcess CmdLine :\nFile Metadata:\nMatched Keyword: [nissrv]\n...\n```\n\n- Find drivers matching EDR keywords\n\n```\n    __________  ____     __  ____  ___   ________\n   / ____/ __ \\/ __ \\   / / / / / / / | / /_  __/\n  / __/ / / / / /_/ /  / /_/ / / / /  |/ / / /\n / /___/ /_/ / _, _/  / __  / /_/ / /|  / / /\n/_____/_____/_/ |_|  /_/ /_/\\____/_/ |_/ /_/\n\nFourCore Labs (https://fourcore.vision) | Version: 1.1\n\nRunning in user mode, escalate to admin for more details.\n[DRIVERS]\nSuspicious Driver Module: WdFilter.sys\nDriver FilePath: c:\\windows\\system32\\drivers\\wd\\wdfilter.sys\nDriver File Metadata:\n        ProductName: Microsoft® Windows® Operating System\n        OriginalFileName: WdFilter.sys\n        InternalFileName: WdFilter\n        Company Name: Microsoft Corporation\n        FileDescription: Microsoft antimalware file system filter driver\n        ProductVersion: 4.18.2109.6\n        Comments:\n        LegalCopyright: © Microsoft Corporation. All rights reserved.\n        LegalTrademarks:\nMatched Keyword: [antimalware malware]\n\nSuspicious Driver Module: hvsifltr.sys\nDriver FilePath: c:\\windows\\system32\\drivers\\hvsifltr.sys\nDriver File Metadata:\n        ProductName: Microsoft® Windows® Operating System\n        OriginalFileName: hvsifltr.sys.mui\n        InternalFileName: hvsifltr.sys\n        Company Name: Microsoft Corporation\n        FileDescription: Microsoft Defender Application Guard Filter Driver\n        ProductVersion: 10.0.19041.1\n        Comments:\n        LegalCopyright: © Microsoft Corporation. All rights reserved.\n        LegalTrademarks:\nMatched Keyword: [defender]\n\nSuspicious Driver Module: WdNisDrv.sys\nDriver FilePath: c:\\windows\\system32\\drivers\\wd\\wdnisdrv.sys\nDriver File Metadata:\n        ProductName: Microsoft® Windows® Operating System\n        OriginalFileName: wdnisdrv.sys\n        InternalFileName: wdnisdrv.sys\n        Company Name: Microsoft Corporation\n        FileDescription: Windows Defender Network Stream Filter\n        ProductVersion: 4.18.2109.6\n        Comments:\n        LegalCopyright: © Microsoft Corporation. All rights reserved.\n        LegalTrademarks:\nMatched Keyword: [defender]\n...\n```\n\n- Find services matching EDR keywords\n\n```\n$ .\\EDRHunt.exe -s\n```\n\n- Find drivers matching EDR keywords\n\n```\n$ .\\EDRHunt.exe -d\n```\n\n- Find registry keys matching EDR keywords\n\n```\n$ .\\EDRHunt.exe -r\n```\n\n\n- Find WMI Repository keys matching EDR keywords\n\n```\n$ .\\EDRHunt.exe -w\n```\n\n## Detections\n\nEDR Detections Currently Available\n\n- Windows Defender\n- Kaspersky Security\n- Symantec Security\n- Crowdstrike Security\n- Mcafee Security\n- Cylance Security\n- Carbon Black\n- SentinelOne\n- FireEye\n- Elastic EDR\n- Qualys EDR\n- Trend Micro EDR\n- ESET EDR\n- Cybereason EDR\n- BitDefender EDR\n- Checkpoint EDR\n- Cynet EDR\n- DeepInstinct EDR\n- Sophos EDR\n- Fortinet EDR\n- MalwareBytes EDR\n- LimaCharlie Agent\n\nMore to be added soon.\n\n## Community\n\nWould appreciate if you ran EDRHunt on your own deployments and test the detections! Thanks.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FFourCoreLabs%2FEDRHunt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FFourCoreLabs%2FEDRHunt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FFourCoreLabs%2FEDRHunt/lists"}