/edr-internals

Tools for analyzing EDR agents

Primary LanguageC++GNU General Public License v3.0GPL-3.0

EDR Internals

Tools for analyzing EDR agents. For details, see our blog post.

  • ESDump - macOS Endpoint Security client that dumps events to stdout
  • NEDump - macOS content filter provider that dumps socket flow data to stdout
  • attacks/phantom_v1 - A collection of POCs that bypass different Linux syscalls using the Phantom V1 TOCTOU vulnerability
  • dump_ebpf.sh - Linux eBPF program and map enumeration script
  • hook.py - Frida loader with scripts for inspecting key macOS monitoring functions

Usage

  • ESDump and NEDump can be compiled on macOS using CMakeLists.txt or you can download a precompiled release.
    • SIP must be disabled on the host for ESDump to work.
    • The NEDump app bundle must be copied to /Applications/ to work.
  • Any of the phantom_v1 can be compiled on Linux using the Makefile.
  • To use dump_ebpf.sh, bpftool must be installed.
  • The frida Python package is required by hook.py.

Credits