Light

outflanknl / edr-internals Goto Github PK

View Code? Open in Web Editor NEW

196.0 11.0 20.0 38 KB

Tools for analyzing EDR agents

License: GNU General Public License v3.0

CMake 3.57% C++ 63.29% Objective-C 8.19% Objective-C++ 2.32% Makefile 0.30% C 11.44% Shell 1.17% JavaScript 7.86% Python 1.86%

edr-internals's Introduction

EDR Internals

Tools for analyzing EDR agents. For details, see our blog post.

ESDump - macOS Endpoint Security client that dumps events to stdout
NEDump - macOS content filter provider that dumps socket flow data to stdout
attacks/phantom_v1 - A collection of POCs that bypass different Linux syscalls using the Phantom V1 TOCTOU vulnerability
dump_ebpf.sh - Linux eBPF program and map enumeration script
hook.py - Frida loader with scripts for inspecting key macOS monitoring functions

Usage

ESDump and NEDump can be compiled on macOS using CMakeLists.txt or you can download a precompiled release.
- SIP must be disabled on the host for ESDump to work.
- The NEDump app bundle must be copied to /Applications/ to work.
Any of the phantom_v1 can be compiled on Linux using the Makefile.
To use dump_ebpf.sh, bpftool must be installed.
The frida Python package is required by hook.py.

Credits

NEDump is based on LuLu from Objective-See
Phantom V1 was created by Rex Guo and Junyuan Zeng for DEF CON 29.
The es_subscribe Frida script is heavily based on Red Canary's Mac Monitor wiki and es_subscribe script.

edr-internals's People

Contributors

Stargazers

Watchers

Forkers

scriptidiot crackercat fckoo jiayuqi7813 som3one0 ar1ste1a yoclaire djayagit wisdark gavz abcheroworld chan-shaw msf-ntdll nathidotdev 0xrobert jzer-master psanjay679 tobey123 ongyuann

edr-internals's Issues

Consider citing original research

Hi Kyle,

I recently came across your blog here where you go through using Mac Monitor to show how we can intercept an arbitrary ES client making its event subscriptions.

Your blog does an excellent job showcasing how we can pull back the details on clients in this way :)

If possible, I'd also like to request that my original research here is cited for the libEndpointSecurity.dylib / Frida components:

Original RE work: https://github.com/redcanaryco/mac-monitor/wiki/8.-Endpoint-Security-DYLIB#an-arbitrary-clients-event-subscriptions
Original Frida script: https://gist.github.com/Brandon7CC/e5e54978b1484fd09f5e201a4fd9dbfc

Thank you and great job again!

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.