Red Team Adventure: Digging into Windows Endpoints for EDRs and profit

Written by Hardik Manocha
Co-founder @ FourCore
EDRHunt for discovering EDR on Windows

With a barrage of Endpoint Detection and Response Systems (EDRs) and Antivirus Solutions available in the market for Windows Endpoints, there has been an essential need to fingerprint these installed solutions on the target endpoints during red teaming operations. This information proves vital in tailor-making custom exploits and attack techniques for successful infiltration and operation on the targets. To tackle this need, we have released EDRHunt, a utility to scan and identify installed EDRs and AVs on Windows endpoints by querying services, drivers, running processes and registry keys.

At FourCore Labs, we primarily operate with Go programming language, and EDRHunt is no exception. Go has been an excellent fit for Windows development as it allows convenient access to native Windows APIs, good cross-compilation support, and it is an easy language for developers to learn quickly. Therefore, EDRHunt has also been made available as a package to be integrated into other security tooling and infrastructure.

To download the package:

1$ go get "github.com/FourCoreLabs/EDRHunt/pkg/edrRecon"

We believe in giving back to the open-source community, thus EDRHunt is completely open source under the MIT License. We build releases for windows/amd64, you can download the latest release on Github.

EDRHunt asciicast

Needles in the Windows haystack

Find all the EDRs installed on a Windows system. Start with looking at all the places where they can show up: Services, Registry Keys, Drivers, and Running Processes.

Instead of using Windows CLI commands to scan the system for this information, we run WMI queries over COM and native APIs to enumerate installed drivers. The primary reason is to prevent any runtime detections of executed commands by AVs.

Let us take the case of Windows Defender and the traces it has across the installed services, processes, drivers and registry keys.

Services

Scan all the installed services by executing .\EDRHunt.exe -s. We can identify important keywords, including securityhealthservice, mspmeng, which implies that Windows Defender services are running on the system.

1$ .\EDRHunt.exe -s
2
3    __________  ____     __  ____  ___   ________
4   / ____/ __ \/ __ \   / / / / / / / | / /_  __/
5  / __/ / / / / /_/ /  / /_/ / / / /  |/ / / /
6 / /___/ /_/ / _, _/  / __  / /_/ / /|  / / /
7/_____/_____/_/ |_|  /_/ /_/\____/_/ |_/ /_/
8
9
10FourCore Labs (https://fourcore.io) | Version: 1.0
11
12Running in user mode, escalate to admin for more details.
13[SERVICES]
14
15...
16
17Suspicious Service Name: SecurityHealthService
18Display Name: Windows Security Service
19...
20Matched Keyword: [securityhealthservice]
21
22
23Suspicious Service Name: Sense
24Display Name: Windows Defender Advanced Threat Protection Service
25...
26Matched Keyword: [defender threat]
27
28
29Suspicious Service Name: WdNisSvc
30Display Name: Microsoft Defender Antivirus Network Inspection Service
31...
32Matched Keyword: [antivirus defender nissrv]
33
34
35Suspicious Service Name: WinDefend
36Display Name: Microsoft Defender Antivirus Service
37...
38Matched Keyword: [antimalware antivirus defender malware msmpeng]
39...
40

Processes

Scan all the running processes by executing .\EDRHunt.exe -p. We can identify essential keywords, including nissrv and mspmeng, implying that Windows Defender processes are running on the system.

1$ .\EDRHunt.exe -p
2
3    __________  ____     __  ____  ___   ________
4   / ____/ __ \/ __ \   / / / / / / / | / /_  __/
5  / __/ / / / / /_/ /  / /_/ / / / /  |/ / / /
6 / /___/ /_/ / _, _/  / __  / /_/ / /|  / / /
7/_____/_____/_/ |_|  /_/ /_/\____/_/ |_/ /_/
8
9
10FourCore Labs (https://fourcore.io) | Version: 1.0
11
12Running in user mode, escalate to admin for more details.
13[PROCESSES]
14
15Suspicious Process Name: MsMpEng.exe
16...
17Matched Keyword: [msmpeng]
18
19
20Suspicious Process Name: NisSrv.exe
21...
22Matched Keyword: [nissrv]
23
24Suspicious Process Name: SecurityHealthService.exe
25Description: SecurityHealthService.exe
26...
27Matched Keyword: [securityhealthservice]
28...
29

Drivers

To take it a step further, we can also scan the installed drivers and their driver metadata to identify drivers installed by the Antivirus solutions to execute .\EDRHunt.exe -d. In addition, we can identify various important keywords, including defender and antimalware, which implies Windows Defender is running on the system.

1$ .\EDRHunt.exe -d
2    __________  ____     __  ____  ___   ________
3   / ____/ __ \/ __ \   / / / / / / / | / /_  __/
4  / __/ / / / / /_/ /  / /_/ / / / /  |/ / / /
5 / /___/ /_/ / _, _/  / __  / /_/ / /|  / / /
6/_____/_____/_/ |_|  /_/ /_/\____/_/ |_/ /_/
7
8FourCore Labs (https://fourcore.io) | Version: 1.0
9
10Running in user mode, escalate to admin for more details.
11[DRIVERS]
12Suspicious Driver Module: WdFilter.sys
13Driver FilePath: c:\windows\system32\drivers\wd\wdfilter.sys
14Driver File Metadata:
15        ProductName: Microsoft® Windows® Operating System
16        OriginalFileName: WdFilter.sys
17        InternalFileName: WdFilter
18        Company Name: Microsoft Corporation
19        FileDescription: Microsoft antimalware file system filter driver
20        ProductVersion: 4.18.2109.6
21        Comments:
22        LegalCopyright: © Microsoft Corporation. All rights reserved.
23        LegalTrademarks:
24Matched Keyword: [antimalware malware]
25
26Suspicious Driver Module: hvsifltr.sys
27Driver FilePath: c:\windows\system32\drivers\hvsifltr.sys
28Driver File Metadata:
29        ProductName: Microsoft® Windows® Operating System
30        OriginalFileName: hvsifltr.sys.mui
31        InternalFileName: hvsifltr.sys
32        Company Name: Microsoft Corporation
33        FileDescription: Microsoft Defender Application Guard Filter Driver
34        ProductVersion: 10.0.19041.1
35        Comments:
36        LegalCopyright: © Microsoft Corporation. All rights reserved.
37        LegalTrademarks:
38Matched Keyword: [defender]

Detection

Similarly, we have built heuristic detections for all the captured metadata for Windows Defender and 8+ other EDRs. Using this knowledge, we can successfully fingerprint a system for installed EDRs and AV solutions.

EDR Detections Currently Available:

  • Windows Defender
  • Kaspersky Security
  • Symantec Security
  • Crowdstrike Security
  • Mcafee Security
  • Cylance Security
  • Carbon Black
  • SentinelOne
  • FireEye

Obfuscation

Go produces compiled native binaries. We generate windows/amd64 binaries with Github actions, but the vanilla binaries are quickly flagged as malicious by an AV due to the presence of our detections.

We use the Go tool Garble to prevent the detection of the executable file by the scanners due to the heuristic detection data packaged with the binary. Garble obfuscates all the literals present in a compiled binary and decodes them during runtime, preventing any static binary scanners from flagging the binary.

The releases on Github are built using Garble with the -literals flag to remove the pesky strings that flag the binary.

Usage

  • Find installed EDRs
1$ .\EDRHunt.exe scan
2[EDR]
3Detected EDR: Windows Defender
4Detected EDR: Kaspersky Security
  • Scan Everything
1$ .\EDRHunt.exe all
2Running in user mode, escalate to admin for more details.
3Scanning processes, services, drivers, and registry...
4[PROCESSES]
5
6Suspicious Process Name: MsMpEng.exe
7Description: MsMpEng.exe
8Caption: MsMpEng.exe
9Binary:
10ProcessID: 6764
11Parent Process: 1148
12Process CmdLine :
13File Metadata:
14Matched Keyword: [msmpeng]
15
16
17Suspicious Process Name: NisSrv.exe
18Description: NisSrv.exe
19Caption: NisSrv.exe
20Binary:
21ProcessID: 9840
22Parent Process: 1148
23Process CmdLine :
24File Metadata:
25Matched Keyword: [nissrv]
26...
  • Find processes matching EDR keywords
1$ .\EDRHunt.exe -p
2Running in user mode, escalate to admin for more details.
3[PROCESSES]
4
5Suspicious Process Name: MsMpEng.exe
6Description: MsMpEng.exe
7Caption: MsMpEng.exe
8Binary:
9ProcessID: 6764
10Parent Process: 1148
11Process CmdLine :
12File Metadata:
13Matched Keyword: [msmpeng]
14
15
16Suspicious Process Name: NisSrv.exe
17Description: NisSrv.exe
18Caption: NisSrv.exe
19Binary:
20ProcessID: 9840
21Parent Process: 1148
22Process CmdLine :
23File Metadata:
24Matched Keyword: [nissrv]
25
26
27Suspicious Process Name: SecurityHealthService.exe
28Description: SecurityHealthService.exe
29Caption: SecurityHealthService.exe
30Binary:
31ProcessID: 13720
32Parent Process: 1148
33Process CmdLine :
34File Metadata:
35Matched Keyword: [securityhealthservice]
36...
  • Find services matching EDR keywords
1$ .\EDRHunt.exe -s
  • Find drivers matching EDR keywords
1$ .\EDRHunt.exe -d
  • Find registry keys matching EDR keywords
1$ .\EDRHunt.exe -r

Inspiration

Kudos to the developers of Invoke-EDRChecker, SharpEDRChecker and Registry-Recon.