Last Updated on Sun Oct 10, 2021
Red Team Adventure: Digging into Windows Endpoints for EDRs and profit
With a barrage of Endpoint Detection and Response Systems (EDRs) and Antivirus Solutions available in the market for Windows Endpoints, there has been an essential need to fingerprint these installed solutions on the target endpoints during red teaming operations. This information proves vital in tailor-making custom exploits and attack techniques for successful infiltration and operation on the targets. To tackle this need, we have released EDRHunt, a utility to scan and identify installed EDRs and AVs on Windows endpoints by querying services, drivers, running processes and registry keys.
At FourCore Labs, we primarily operate with Go programming language, and EDRHunt is no exception. Go has been an excellent fit for Windows development as it allows convenient access to native Windows APIs, good cross-compilation support, and it is an easy language for developers to learn quickly. Therefore, EDRHunt has also been made available as a package to be integrated into other security tooling and infrastructure.
To download the package:
1$ go get "github.com/FourCoreLabs/EDRHunt/pkg/edrRecon"
We believe in giving back to the open-source community, thus EDRHunt is completely open source under the MIT License. We build releases for windows/amd64, you can download the latest release on Github.
Needles in the Windows haystack
Find all the EDRs installed on a Windows system. Start with looking at all the places where they can show up: Services, Registry Keys, Drivers, and Running Processes.
Instead of using Windows CLI commands to scan the system for this information, we run WMI queries over COM and native APIs to enumerate installed drivers. The primary reason is to prevent any runtime detections of executed commands by AVs.
Let us take the case of Windows Defender and the traces it has across the installed services, processes, drivers and registry keys.
Scan all the installed services by executing
.\EDRHunt.exe -s. We can identify important keywords, including
mspmeng, which implies that Windows Defender services are running on the system.
1$ .\EDRHunt.exe -s 2 3 __________ ____ __ ____ ___ ________ 4 / ____/ __ \/ __ \ / / / / / / / | / /_ __/ 5 / __/ / / / / /_/ / / /_/ / / / / |/ / / / 6 / /___/ /_/ / _, _/ / __ / /_/ / /| / / / 7/_____/_____/_/ |_| /_/ /_/\____/_/ |_/ /_/ 8 9 10FourCore Labs (https://fourcore.io) | Version: 1.0 11 12Running in user mode, escalate to admin for more details. 13[SERVICES] 14 15... 16 17Suspicious Service Name: SecurityHealthService 18Display Name: Windows Security Service 19... 20Matched Keyword: [securityhealthservice] 21 22 23Suspicious Service Name: Sense 24Display Name: Windows Defender Advanced Threat Protection Service 25... 26Matched Keyword: [defender threat] 27 28 29Suspicious Service Name: WdNisSvc 30Display Name: Microsoft Defender Antivirus Network Inspection Service 31... 32Matched Keyword: [antivirus defender nissrv] 33 34 35Suspicious Service Name: WinDefend 36Display Name: Microsoft Defender Antivirus Service 37... 38Matched Keyword: [antimalware antivirus defender malware msmpeng] 39... 40
Scan all the running processes by executing
.\EDRHunt.exe -p. We can identify essential keywords, including
mspmeng, implying that Windows Defender processes are running on the system.
1$ .\EDRHunt.exe -p 2 3 __________ ____ __ ____ ___ ________ 4 / ____/ __ \/ __ \ / / / / / / / | / /_ __/ 5 / __/ / / / / /_/ / / /_/ / / / / |/ / / / 6 / /___/ /_/ / _, _/ / __ / /_/ / /| / / / 7/_____/_____/_/ |_| /_/ /_/\____/_/ |_/ /_/ 8 9 10FourCore Labs (https://fourcore.io) | Version: 1.0 11 12Running in user mode, escalate to admin for more details. 13[PROCESSES] 14 15Suspicious Process Name: MsMpEng.exe 16... 17Matched Keyword: [msmpeng] 18 19 20Suspicious Process Name: NisSrv.exe 21... 22Matched Keyword: [nissrv] 23 24Suspicious Process Name: SecurityHealthService.exe 25Description: SecurityHealthService.exe 26... 27Matched Keyword: [securityhealthservice] 28... 29
To take it a step further, we can also scan the installed drivers and their driver metadata to identify drivers installed by the Antivirus solutions to execute
.\EDRHunt.exe -d. In addition, we can identify various important keywords, including
antimalware, which implies Windows Defender is running on the system.
1$ .\EDRHunt.exe -d 2 __________ ____ __ ____ ___ ________ 3 / ____/ __ \/ __ \ / / / / / / / | / /_ __/ 4 / __/ / / / / /_/ / / /_/ / / / / |/ / / / 5 / /___/ /_/ / _, _/ / __ / /_/ / /| / / / 6/_____/_____/_/ |_| /_/ /_/\____/_/ |_/ /_/ 7 8FourCore Labs (https://fourcore.io) | Version: 1.0 9 10Running in user mode, escalate to admin for more details. 11[DRIVERS] 12Suspicious Driver Module: WdFilter.sys 13Driver FilePath: c:\windows\system32\drivers\wd\wdfilter.sys 14Driver File Metadata: 15 ProductName: Microsoft® Windows® Operating System 16 OriginalFileName: WdFilter.sys 17 InternalFileName: WdFilter 18 Company Name: Microsoft Corporation 19 FileDescription: Microsoft antimalware file system filter driver 20 ProductVersion: 4.18.2109.6 21 Comments: 22 LegalCopyright: © Microsoft Corporation. All rights reserved. 23 LegalTrademarks: 24Matched Keyword: [antimalware malware] 25 26Suspicious Driver Module: hvsifltr.sys 27Driver FilePath: c:\windows\system32\drivers\hvsifltr.sys 28Driver File Metadata: 29 ProductName: Microsoft® Windows® Operating System 30 OriginalFileName: hvsifltr.sys.mui 31 InternalFileName: hvsifltr.sys 32 Company Name: Microsoft Corporation 33 FileDescription: Microsoft Defender Application Guard Filter Driver 34 ProductVersion: 10.0.19041.1 35 Comments: 36 LegalCopyright: © Microsoft Corporation. All rights reserved. 37 LegalTrademarks: 38Matched Keyword: [defender]
Similarly, we have built heuristic detections for all the captured metadata for Windows Defender and 8+ other EDRs. Using this knowledge, we can successfully fingerprint a system for installed EDRs and AV solutions.
EDR Detections Currently Available:
- Windows Defender
- Kaspersky Security
- Symantec Security
- Crowdstrike Security
- Mcafee Security
- Cylance Security
- Carbon Black
Go produces compiled native binaries. We generate windows/amd64 binaries with Github actions, but the vanilla binaries are quickly flagged as malicious by an AV due to the presence of our detections.
We use the Go tool Garble to prevent the detection of the executable file by the scanners due to the heuristic detection data packaged with the binary. Garble obfuscates all the literals present in a compiled binary and decodes them during runtime, preventing any static binary scanners from flagging the binary.
The releases on Github are built using Garble with the
-literals flag to remove the pesky strings that flag the binary.
- Find installed EDRs
1$ .\EDRHunt.exe scan 2[EDR] 3Detected EDR: Windows Defender 4Detected EDR: Kaspersky Security
- Scan Everything
1$ .\EDRHunt.exe all 2Running in user mode, escalate to admin for more details. 3Scanning processes, services, drivers, and registry... 4[PROCESSES] 5 6Suspicious Process Name: MsMpEng.exe 7Description: MsMpEng.exe 8Caption: MsMpEng.exe 9Binary: 10ProcessID: 6764 11Parent Process: 1148 12Process CmdLine : 13File Metadata: 14Matched Keyword: [msmpeng] 15 16 17Suspicious Process Name: NisSrv.exe 18Description: NisSrv.exe 19Caption: NisSrv.exe 20Binary: 21ProcessID: 9840 22Parent Process: 1148 23Process CmdLine : 24File Metadata: 25Matched Keyword: [nissrv] 26...
- Find processes matching EDR keywords
1$ .\EDRHunt.exe -p 2Running in user mode, escalate to admin for more details. 3[PROCESSES] 4 5Suspicious Process Name: MsMpEng.exe 6Description: MsMpEng.exe 7Caption: MsMpEng.exe 8Binary: 9ProcessID: 6764 10Parent Process: 1148 11Process CmdLine : 12File Metadata: 13Matched Keyword: [msmpeng] 14 15 16Suspicious Process Name: NisSrv.exe 17Description: NisSrv.exe 18Caption: NisSrv.exe 19Binary: 20ProcessID: 9840 21Parent Process: 1148 22Process CmdLine : 23File Metadata: 24Matched Keyword: [nissrv] 25 26 27Suspicious Process Name: SecurityHealthService.exe 28Description: SecurityHealthService.exe 29Caption: SecurityHealthService.exe 30Binary: 31ProcessID: 13720 32Parent Process: 1148 33Process CmdLine : 34File Metadata: 35Matched Keyword: [securityhealthservice] 36...
- Find services matching EDR keywords
1$ .\EDRHunt.exe -s
- Find drivers matching EDR keywords
1$ .\EDRHunt.exe -d
- Find registry keys matching EDR keywords
1$ .\EDRHunt.exe -r
Kudos to the developers of Invoke-EDRChecker, SharpEDRChecker and Registry-Recon.