## EDR.cna ## Author: @r3dqu1nn ## Remotely query a system for EDR products ## Additions made by @_bin_Ash ## List of EDR drivers @edr = @("psepfilter.sys", "cbfsfilter2017.sys", "cve.sys", "atrsdfw.sys", "naswSP.sys", "aswSP.sys", "avgtpx86.sys", "avgtpx64.sys", "edrsensor.sys", "hbflt.sys", "bdsvm.sys", "gzflt.sys", "bddevflt.sys", "AVCKF.SYS", "Atc.sys", "AVC3.SYS", "TRUFOS.SYS", "BDSandBox.sys", "brfilter.sys", "BrCow_x_x_x_x.sys", "bemk.sys", "CarbonBlackK.sys", "parity.sys", "cbstream.sys", "cbk7.sys", "ctifile.sys", "epregflt.sys", "medlpflt.sys", "dsfa.sys", "cposfw.sys", "CiscoAMPCEFWDriver.sys", "CiscoAMPHeurDriver.sys", "cb", "csaenh.sys", "csareg.sys", "csascr.sys", "csaav.sys", "csaam.sys", "csacentr.sys", "rvsavd.sys", "cfrmd.sys", "cmdccav.sys", "cmdguard.sys", "CmdMnEfs.sys", "MyDLPMF.sys", "im.sys", "CSDeviceControl.sys", "csagent.sys", "CSBoot.sys", "cspcm2.sys", "CybKernelTracker.sys", "CRExecPrev.sys", "CyOptics.sys", "CyProtectDrv32.sys", "CyProtectDrv64.sys.sys", "CyProtectDrv64.sys", "groundling32.sys", "groundling64.sys", "ElasticEndpoint.sys", "ElasticEndpointDriver.sys", "esensor.sys", "edevmon.sys", "ehdrv.sys", "FeKern.sys", "WFP_MRT.sys", "xfsgk.sys", "fsatp.sys", "fshs.sys", "fsgk.sys", "HexisFSMonitor.sys", "klifks.sys", "klifaa.sys", "Klifsm.sys", "LRAgentMF.sys", "mbamwatchdog.sys", "mfeaskm.sys", "mfencfilter.sys", "epdrv.sys", "mfencoas.sys", "mfehidk.sys", "swin.sys", "hdlpflt.sys", "mfprom.sys", "MfeEEFF.sys", "libwamf.sys", "telam.sys", "PSINPROC.SYS", "PSINFILE.SYS", "amfsm.sys", "amm8660.sys", "amm6460.sys", "eaw.sys", "SAFE-Agent.sys", "SentinelMonitor.sys", "SAVOnAccess.sys", "sld.sys", "SophosED.sys", "sntp.sys", "swi_callout.sys", "hmpalert.sys", "sdcfilter.sys", "SophosBootDriver.sys", "pgpwdefs.sys", "GEProtection.sys", "diflt.sys", "sysMon.sys", "ssrfsf.sys", "emxdrv2.sys", "reghook.sys", "spbbcdrv.sys", "bhdrvx86.sys", "bhdrvx64.sys", "SISIPSFileFilter", "symevent.sys", "vxfsrep.sys", "VirtFile.sys", "SymAFR.sys", "symefasi.sys", "symefa.sys", "symefa64.sys", "SymHsm.sys", "evmf.sys", "GEFCMP.sys", "VFSEnc.sys", "pgpfs.sys", "fencry.sys", "symrg.sys", "SISIPSFileFilter.sys", "TMUMS.sys", "hfileflt.sys", "TMUMH.sys", "AcDriver.sys", "SakFile.sys", "SakMFile.sys", "fileflt.sys", "TmEsFlt.sys", "tmevtmgr.sys", "TmFileEncDmk.sys", "ndgdmk.sys", "dgdmk.sys", "ssfmonm.sys"); ## edr_query Command Register beacon_command_register("edr_query", "Queries the remote or local system for all major EDR products installed", "Syntax: edr_query [hostname] [arch]\n" . "Checks the local or remote system for installed EDR products. **Note: Use localhost for [hostname] to query the local system**"); ## edr_query alias alias edr_query { $bid = $1; if ($2 is $null) { blog($bid, "\c4Please enter a remote hostname or localhost!"); show_message("Please enter a remote hostname or localhost!"); } else if ($3 is $null) { blog($bid, "\c4Please enter a valid architechture!"); show_message("Please enter a valid architechture!"); } else if ($3 ismatch 'x64') { blog($bid, "\cBDetermining what EDR products are installed on ". $2 ."..."); bls($bid, "\\\\". $2 ."\\C\$\\windows\\system32\\drivers", &list); } else if ($3 ismatch 'x86') { blog($bid, "\cBDetermining what EDR products are installed on ". $2 ."..."); bls($bid, "\\\\". $2 ."\\C\$\\windows\\sysnative\\drivers", &list); } } sub query { $bid = $1; $dialog = dialog("EDR Query Menu", %(hostname => "Enter Remote HostName", Arch => ""), &EDR); dialog_description($dialog, "EDR Query Menu. Remotely query a system for EDR products. Hostname field (IP or Hostname) is Mandatory! **Note: Use localhost for the local system.**"); drow_text($dialog, "hostname", "Target HostName:"); drow_combobox($dialog, "Arch", "Target Architechture:", @("x86", "x64")); dbutton_action($dialog, "Execute"); dialog_show($dialog); } sub EDR { if ($3['hostname'] ismatch 'Enter Remote HostName') { show_message("Please enter a remote hostname or localhost!"); blog($bid, "\c4Please enter a remote hostname or localhost!"); } else if ($3['Arch'] ismatch 'x86') { bls($bid, "\\\\". $3['hostname'] ."\\C\$\\windows\\sysnative\\drivers", &list); blog($bid, "\cBDetermining what EDR products are installed on ". $3['hostname']. "..."); } else if ($3['Arch'] ismatch 'x64') { bls($bid, "\\\\". $3['hostname'] ."\\C\$\\windows\\system32\\drivers", &list); blog($bid, "\cBDetermining what EDR products are installed on ". $3['hostname']. "..."); } } #Parse dem results sub list { local('$entry $type $size $modified $name $out'); @results = split("\n", ["$3" trim]); @matches = @(); foreach $entry (@results) { ($type, $size, $modified, $name) = split("\t", $entry); if ($name in @edr) { blog($bid, "\cB$name Found"); add(@matches, $name, 0); } } $size = size(@matches); ## Print banner $out .= "\c4$size EDR Products Found!\n"; $out .= " \c0======================\n"; $out .= " | Vendor Information | \n"; $out .= "\c0 ----------------------"; ## Initial error checking if (size(@matches) == 0) { blog($bid, "\c9No EDR products found! Operate at your own risk!"); clear(@matches); } if (size(@matches) > 0) { blog($bid, $out); } ## Driver checking ### Absolute if ('psepfilter.sys' in @matches || 'cve.sys' in @matches || 'cbfsfilter2017.sys' in @matches) { blog($bid, "Absolute Found!"); } ### Altiris (Symantec) if ('atrsdfw.sys' in @matches) { blog($bid, "Altiris (Symantec) Found!"); } ### Avast if ('aswSP.sys' in @matches || 'naswSP.sys' in @matches) { blog($bid, "Avast Found!"); } ### AVG Technologies if ('avgtpx86.sys' in @matches || 'avgtpx64.sys' in @matches) { blog($bid, "AVG Technologies Found!"); } ## BitDefender if ('edrsensor.sys' in @matches || 'hbflt.sys' in @matches || 'bdsvm.sys' in @matches || 'gzflt.sys' in @matches || 'bddevflt.sys' in @matches || 'AVCKF.SYS' in @matches || 'Atc.sys' in @matches || 'AVC3.SYS' in @matches || 'TRUFOS.SYS' in @matches || 'BDSandBox.sys' in @matches) { blog($bid, "BitDefender Found!"); } ## Bromium if ('brfilter.sys' in @matches || 'BrCow_x_x_x_x.sys' in @matches || 'bemk.sys' in @matches) { blog($bid, "Bromium Found!"); } ### Carbon Black if ('CarbonBlackK.sys' in @matches || 'carbonblackk.sys' in @matches || "Parity.sys" in @matches || "cbk7.sys" in @matches || "cbstream.sys" in @matches || "ctifile.sys" in @matches) { blog($bid, "Carbon Black Found!"); } ### Check Point Software Technologies if ('epregflt.sys' in @matches || 'medlpflt.sys' in @matches || 'dsfa.sys' in @matches || 'cposfw.sys' in @matches || 'epklib.sys' in @matches) { blog($bid, "Check Point Software Technologies Found!"); } ### Cisco AMP if ('CiscoAMPCEFWDriver.sys' in @matches || 'CiscoAMPHeurDriver.sys' in @matches) { blog($bid, "Cisco AMP Found!") } ### Cisco Secure Endpoint if ('csacentr.sys' in @matches || 'csaenh.sys' in @matches || 'csareg.sys' in @matches || 'csascr.sys' in @matches || 'csaav.sys' in @matches || 'csaam.sys' in @matches) { blog($bid, "Cisco Found!"); } ### CJSC Returnil Software if ('rvsavd.sys' in @matches) { blog($bid, "CJSC Returnil Software Found!"); } ### Comodo Security Solutions if ('cfrmd.sys' in @matches || 'cmdccav.sys' in @matches || 'cmdguard.sys' in @matches || 'CmdMnEfs.sys' in @matches || 'MyDLPMF.sys' in @matches) { blog($bid, "Comodo Security Solutions Found!"); } ### CrowdStrike if ('im.sys' in @matches || 'CSAgent.sys' in @matches || 'CSBoot.sys' in @matches || 'CSDeviceControl.sys' in @matches || 'cspcm2.sys' in @matches) { blog($bid, "CrowdStrike Found!"); } ### CyberArk if ('CybKernelTracker.sys' in @matches || 'vfdrv.sys' in @matches || 'vfnet.sys' in @matches || 'vfpd.sys' in @matches ) { blog($bid, "CyberArk Software Found!"); } ### Cybereason if ('CRExecPrev.sys' in @matches) { blog($bid, "Cybereason Found!"); } ### Cylance Inc. if ('CyOptics.sys' in @matches || 'CyProtectDrv32.sys' in @matches || 'CyProtectDrv64.sys' in @matches) { blog($bid, "Cylance Inc. Found!"); } ### Dell Secureworks if ('groundling32.sys' in @matches || 'groundling64.sys' in @matches) { blog($bid, "Dell Secureworks Found!"); } ### Elastic Security for Endpoint if ('ElasticEndpoint.sys' in @matches || 'ElasticEndpointDriver.sys' in @matches) { blog($bid, "Elastic Security for Endpoint detected!") } ### Endgame if ('esensor.sys' in @matches) { blog($bid, "Endgame Found!"); } ### ESET if ('edevmon.sys' in @matches || 'ehdrv.sys' in @matches || 'eamonm.sys' in @matches || 'ekbdflt.sys' in @matches) { blog($bid, "ESET Found!"); } ### FireEye if ('FeKern.sys' in @matches || 'WFP_MRT.sys' in @matches) { blog($bid, "FireEye Found!"); } ### F-Secure if ('xfsgk.sys' in @matches || 'fsgk.sys' in @matches || 'fsatp.sys' in @matches || 'fshs.sys' in @matches) { blog($bid, "F-Secure Found!"); } ### Heix Cyber Solutions if ('HexisFSMonitor.sys' in @matches) { blog($bid, "Hexis Cyber Solutions Found!"); } ### Kaspersky if ('klifks.sys' in @matches || 'klifaa.sys' in @matches || 'Klifsm.sys' in @matches) { blog($bid, "Kaspersky Found!"); } ### LogRhythm if ('LRAgentMF.sys' in @matches) { blog($bid, "LogRhythm Found!"); } ### Malwarebytes if ('mbamwatchdog.sys' in @matches) { blog($bid, "Malwarebytes Found!"); } ### McAfee if ('mfeaskm.sys' in @matches || 'mfencfilter.sys' in @matches || 'epdrv.sys' in @matches || 'mfencoas.sys' in @matches || 'mfehidk.sys' in @matches || 'swin.sys' in @matches || 'hdlpflt.sys' in @matches || 'mfprom.sys' in @matches || 'MfeEEFF.sys' in @matches) { blog($bid, "McAfee Found!"); } ### OPSWAT Inc if ('libwamf.sys' in @matches) { blog($bid, "OPSWAT Inc Found!"); } ### Palo Alto if ('telam.sys' in @matches) { blog($bid, "Palo Alto Cortex Found!"); } ### Panda Security if ('PSINPROC.SYS' in @matches || 'PSINFILE.SYS' in @matches || 'amfsm.sys' in @matches || 'amm8660.sys' in @matches || 'amm6460.sys' in @matches) { blog($bid, "Panda Security Found!"); } ### Raytheon Cyber Solutions if ('eaw.sys' in @matches) { blog($bid, "Raytheon Cyber Solutions Found!"); } ### SAFE-Cyberdefense if ('SAFE-Agent.sys' in @matches) { blog($bid, "SAFE-Cyberdefense Found!"); } ### SentinelOne if ('SentinelMonitor.sys' in @matches) { blog($bid, "SentinelOne Found!"); } ### Sophos if ('SAVOnAccess.sys' in @matches || 'savonaccess.sys' in @matches || 'sld.sys' in @matches || 'SophosED.sys' in @matches || 'sntp.sys' in @matches || 'swi_callout.sys' in @matches || 'hmpalert.sys' in @matches || 'sdcfilter.sys' in @matches || 'SophosBootDriver.sys' in @matches) { blog($bid, "Sophos Found!"); } ### Symantec if ('pgpwdefs.sys' in @matches || 'GEProtection.sys' in @matches || 'diflt.sys' in @matches || 'sysMon.sys' in @matches || 'ssrfsf.sys' in @matches || 'emxdrv2.sys' in @matches || 'reghook.sys' in @matches || 'spbbcdrv.sys' in @matches || 'bhdrvx86.sys' in @matches || 'bhdrvx64.sys' in @matches || 'SISIPSFileFilter.sys' in @matches || 'symevent.sys' in @matches || 'vxfsrep.sys' in @matches || 'VirtFile.sys' in @matches || 'SymAFR.sys' in @matches || 'symefasi.sys' in @matches || 'symefa.sys' in @matches || 'symefa64.sys' in @matches || 'SymHsm.sys' in @matches || 'evmf.sys' in @matches || 'GEFCMP.sys' in @matches || 'VFSEnc.sys' in @matches || 'pgpfs.sys' in @matches || 'fencry.sys' in @matches || 'symrg.sys' in @matches) { blog($bid, "Symantec Found!"); } ### Trend Micro if ('TMUMS.sys' in @matches || 'hfileflt.sys' in @matches || 'TMUMH.sys' in @matches || 'AcDriver.sys' in @matches || 'SakFile.sys' in @matches || 'SakMFile.sys' in @matches || 'fileflt.sys' in @matches || 'TmEsFlt.sys' in @matches || 'tmevtmgr.sys' in @matches || 'TmFileEncDmk.sys' in @matches) { blog($bid, "Trend Micro Inc Found!"); } ### Verdasys if ('dgdmk.sys' in @matches || 'ndgdmk.sys' in @matches) { blog($bid, "Verdasys Inc. Found!"); } ### Webroot if ('ssfmonm.sys' in @matches) { blog($bid, "Webroot Software, Inc. Found!"); } } popup beacon_bottom { item "EDR Query" { query($1); } }