Invoke-EDRChecker – Checks Running Processes, Process Metadata, Dlls Loaded Into Your Current Process And The Each DLLs Metadata, Common Install Directories, Installed Services, The Registry And Running Drivers For The Presence Of Known Defensive Products Such As AV’s, EDR’s And Logging Tools
The script will check running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services, the registry and running drivers for the presence of known defensive products such as AV's, EDR's and logging tools.
This script can be loaded into your C2 server as well for example in PoshC2, place the script into your modules directory, load the module then run it. Note: this script is now included in PoshC2 so no need to manually add it.
The script also has capacity to perform checks against remote targets if you have the privileges to do so, these checks are presently limited however to process checking, common install directories and installed services.
I will continue to add and improve the list when time permits. A full roadmap can be found below.
The C# version of this tool is much improved over the PowerShell version and can be found here:
Find me on twitter @PwnDexter for any issues or questions!
git clone https://github.com/PwnDexter/Invoke-EDRChecker.git
Once the script has been loaded into your host or C2 of choice, you can use the following commands:
Run the script against the local host and perform checks based on current user integrity:
Run the script and force registry checks to be performed (for use when you are not running as admin):
Run the script against a remote host, this test connectivity and try to resolve the hostname before running:
Invoke-EDRChecker -Remote <hostname>
To bypass the pre-checks for remote hosts use -Ignore flag to bypass connectivity checks
Invoke-EDRChecker -Remote <hostname> -Ignore
Example Output - Note: These screenshots need updated and this has only been tested on Windows 10, more testing to come.
If processes and drivers are hidden and still found:
If running as non-admin to show visibility difference:
Using EDR-Checker with PoshC2:
- - Add more EDR Products - never ending
- - Refine beta function for registry checking
- - Add in force reg check if not running as admin
- - Test across more Windows and .NET versions
- - Port to c# -
- - Clean up output
- - Get currently loaded DLL's in your current process
- - Get dll metadata of currently loaded dlls
- - Add remote host query capability
- - Add connectivity and DNS checks before performing edr checks
- - Add remote privilege checks before performing edr checks
- - Add installed services checks
- - Port to python for unix/macos support