Comments (5)
that is a good point we should also add a note for the one that are running the kernel only like ATP. I will also add a note that some of them hook the target instead of the source (Like CISCO AMP that will monitor LSASS (dll injected)).
from edrs.
Looks like the same for Tanium:
C:\Users\avtest\Downloads>hook_finder64.exe c:\Windows\System32\ntdll.dll
Loading c:\Windows\System32\ntdll.dll
HookFinder Mr.Un1k0d3r RingZer0 Team
C:\Users\avtest\Downloads\hook_finder64.exe is loaded at 0x0000000000400000.
C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007FFC70990000.
C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007FFC6EA00000.
C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007FFC6E250000.
C:\Windows\System32\msvcrt.dll is loaded at 0x00007FFC6F110000.
------------------------------------------
BASE 0x00007FFC70990000 MZÉ
PE 0x00007FFC709900E8 PE
ExportTableOffset 0x00007FFC70AE1180
OffsetNameTable 0x00007FFC70AE37A4
Functions Count 0x97f (2431)
------------------------------------------
------------------------------------------
Completed
ATP:
C:\Users\avtest\Downloads>hook_finder64.exe C:\windows\system32\ntdll.dll
Loading C:\windows\system32\ntdll.dll
HookFinder Mr.Un1k0d3r RingZer0 Team
C:\Users\avtest\Downloads\hook_finder64.exe is loaded at 0x0000000000400000.
C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007FF83E930000.
C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007FF83D040000.
C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007FF83C290000.
C:\Windows\SYSTEM32\apphelp.dll is loaded at 0x00007FF839920000.
C:\Windows\System32\msvcrt.dll is loaded at 0x00007FF83E490000.
------------------------------------------
BASE 0x00007FF83E930000 MZÉ
PE 0x00007FF83E9300E8 PE
ExportTableOffset 0x00007FF83EA81180
OffsetNameTable 0x00007FF83EA837A4
Functions Count 0x97f (2431)
------------------------------------------
------------------------------------------
Completed
from edrs.
Cisco Secure Endpoint (former AMP):
C:\Users\Admin\Downloads>hook_finder64.exe C:\windows\system32\ntdll.dll
Loading C:\windows\system32\ntdll.dll
HookFinder Mr.Un1k0d3r RingZer0 Team
C:\Users\Admin\Downloads\hook_finder64.exe is loaded at 0x0000000000400000.
C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007FFD99D90000.
C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007FFD99BF0000.
C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007FFD975D0000.
C:\Windows\SYSTEM32\apphelp.dll is loaded at 0x00007FFD94CE0000.
C:\Windows\System32\msvcrt.dll is loaded at 0x00007FFD99CB0000.
BASE 0x00007FFD99D90000 MZÉ
PE 0x00007FFD99D900E8 PE
ExportTableOffset 0x00007FFD99EE1180
OffsetNameTable 0x00007FFD99EE37A4
Functions Count 0x97f (2431)
Completed
from edrs.
Is Microsoft defender for endpoint basically identical to windows defender but with a central console?
More or less. Windows Defender is the (traditional) antivirus component of the MDE platform, the latter which also incorporates the EDR features. Almost everything is consolidated into a central console except for some Windows Defender antivirus settings that are still managed via SCCM or Intune.
from edrs.
most of the bypass that work on the standard version will work against the enterprise version. Keep in mind that if you want to land your payload these will help but the tricky part is the post exploitation detection capabilities added by MDE.
you need to evade it with whatever you do after the execution too not just on disk.
from edrs.
Related Issues (5)
- Kaspersky HOT 3
- Windows 10 Home - SO 18363.1440
- Detailed usage guide HOT 4
- Suggestion HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from edrs.