- Notifications
You must be signed in to change notification settings - Fork25
Tools for analyzing EDR agents
License
NotificationsYou must be signed in to change notification settings
outflanknl/edr-internals
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Tools for analyzing EDR agents. For details, see ourblog post.
- ESDump - macOSEndpoint Security client that dumps events to
stdout - NEDump - macOScontent filter provider that dumps socket flow data to
stdout - attacks/phantom_v1 - A collection of POCs that bypass different Linux syscalls using thePhantom V1 TOCTOU vulnerability
- dump_ebpf.sh - LinuxeBPF program and map enumeration script
- hook.py -Frida loader withscripts for inspecting key macOS monitoring functions
- ESDump and NEDump can be compiled on macOS usingCMakeLists.txt or you can download a precompiledrelease.
- SIP must bedisabled on the host for ESDump to work.
- The NEDump app bundle must be copied to
/Applications/to work.
- Any of the phantom_v1 can be compiled on Linux using theMakefile.
- To use dump_ebpf.sh,bpftool must be installed.
- Thefrida Python package is required by hook.py.
- NEDump is based onLuLu fromObjective-See
- Phantom V1 was created byRex Guo andJunyuan Zeng forDEF CON 29.
- Thees_subscribe Frida script is heavily based on Red Canary's Mac Monitorwiki and es_subscribescript.
About
Tools for analyzing EDR agents
Resources
License
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Packages0
No packages published