EDR Internals

Tools for analyzing EDR agents. For details, see our blog post.

ESDump - macOS Endpoint Security client that dumps events to stdout
NEDump - macOS content filter provider that dumps socket flow data to stdout
attacks/phantom_v1 - A collection of POCs that bypass different Linux syscalls using the Phantom V1 TOCTOU vulnerability
dump_ebpf.sh - Linux eBPF program and map enumeration script
hook.py - Frida loader with scripts for inspecting key macOS monitoring functions

Usage

ESDump and NEDump can be compiled on macOS using CMakeLists.txt or you can download a precompiled release.
- SIP must be disabled on the host for ESDump to work.
- The NEDump app bundle must be copied to /Applications/ to work.
Any of the phantom_v1 can be compiled on Linux using the Makefile.
To use dump_ebpf.sh, bpftool must be installed.
The frida Python package is required by hook.py.

NEDump is based on LuLu from Objective-See
Phantom V1 was created by Rex Guo and Junyuan Zeng for DEF CON 29.
The es_subscribe Frida script is heavily based on Red Canary's Mac Monitor wiki and es_subscribe script.

Name		Name	Last commit message	Last commit date
Latest commit History 3 Commits
ESDump		ESDump
NEDump		NEDump
attacks/phantom_v1		attacks/phantom_v1
external		external
frida_scripts		frida_scripts
.gitignore		.gitignore
.gitmodules		.gitmodules
CMakeLists.txt		CMakeLists.txt
LICENSE		LICENSE
README.md		README.md
dump_ebpf.sh		dump_ebpf.sh
hook.py		hook.py