{"id":20790963,"url":"https://github.com/outflanknl/edr-internals","last_synced_at":"2025-04-10T02:22:35.395Z","repository":{"id":242553063,"uuid":"809551964","full_name":"outflanknl/edr-internals","owner":"outflanknl","description":"Tools for analyzing EDR agents","archived":false,"fork":false,"pushed_at":"2024-06-10T10:59:28.000Z","size":38,"stargazers_count":222,"open_issues_count":0,"forks_count":20,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-04-02T18:13:04.627Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/outflanknl.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-06-03T01:46:12.000Z","updated_at":"2025-03-30T06:54:20.000Z","dependencies_parsed_at":"2024-06-10T12:29:51.991Z","dependency_job_id":"7d7ea3be-98f4-49fe-b596-c751d89c8150","html_url":"https://github.com/outflanknl/edr-internals","commit_stats":null,"previous_names":["outflanknl/edr-internals"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/outflanknl%2Fedr-internals","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/outflanknl%2Fedr-internals/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/outflanknl%2Fedr-internals/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/outflanknl%2Fedr-internals/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/outflanknl","download_url":"https://codeload.github.com/outflanknl/edr-internals/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248143232,"owners_count":21054733,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-17T15:39:37.699Z","updated_at":"2025-04-10T02:22:35.345Z","avatar_url":"https://github.com/outflanknl.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# EDR Internals\n\nTools for analyzing EDR agents. For details, see our [blog post](https://www.outflank.nl/blog/2024/06/03/edr-internals-macos-linux/).\n\n* ESDump - macOS [Endpoint Security](https://developer.apple.com/documentation/endpointsecurity) client that dumps events to `stdout`\n* NEDump - macOS [content filter provider](https://developer.apple.com/documentation/networkextension/content_filter_providers) that dumps socket flow data to `stdout`\n* attacks/phantom_v1 - A collection of POCs that bypass different Linux syscalls using the [Phantom V1](https://github.com/rexguowork/phantom-attack/tree/main/phantom_v1) TOCTOU vulnerability\n* dump_ebpf.sh - Linux [eBPF](https://ebpf.io/what-is-ebpf/) program and map enumeration script\n* hook.py - [Frida](https://frida.re/) loader with [scripts](frida_scripts/) for inspecting key macOS monitoring functions\n\n## Usage\n\n* ESDump and NEDump can be compiled on macOS using [CMakeLists.txt](CMakeLists.txt) or you can download a precompiled [release](https://github.com/outflanknl/edr-internals/releases).\n    * SIP must be [disabled](https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection) on the host for ESDump to work.\n    * The NEDump app bundle must be copied to `/Applications/` to work.\n* Any of the phantom_v1 can be compiled on Linux using the [Makefile](phantom_v1/Makefile).\n* To use dump_ebpf.sh, [bpftool](https://github.com/libbpf/bpftool) must be installed.\n* The [frida](https://pypi.org/project/frida/) Python package is required by hook.py.\n\n## Credits\n\n* NEDump is based on [LuLu](https://github.com/objective-see/LuLu) from [Objective-See](https://objective-see.org/)\n* [Phantom V1](https://github.com/rexguowork/phantom-attack/tree/main/phantom_v1) was created by [Rex Guo](https://twitter.com/xiaofei_rex) and [Junyuan Zeng](https://scholar.google.com.au/citations?user=hfFxWxMAAAAJ) for [DEF CON 29](https://www.youtube.com/watch?v=yaAdM8pWKG8). \n* The [es_subscribe](frida_scripts/es_subscribe.js) Frida script is heavily based on Red Canary's Mac Monitor [wiki](https://github.com/redcanaryco/mac-monitor/wiki/8.-Endpoint-Security-DYLIB#an-arbitrary-clients-event-subscriptions) and es_subscribe [script](https://gist.github.com/Brandon7CC/e5e54978b1484fd09f5e201a4fd9dbfc).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foutflanknl%2Fedr-internals","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foutflanknl%2Fedr-internals","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foutflanknl%2Fedr-internals/lists"}