Skip to content


Repository files navigation

EDR Internals

Tools for analyzing EDR agents. For details, see our blog post.

  • ESDump - macOS Endpoint Security client that dumps events to stdout
  • NEDump - macOS content filter provider that dumps socket flow data to stdout
  • attacks/phantom_v1 - A collection of POCs that bypass different Linux syscalls using the Phantom V1 TOCTOU vulnerability
  • - Linux eBPF program and map enumeration script
  • - Frida loader with scripts for inspecting key macOS monitoring functions


  • ESDump and NEDump can be compiled on macOS using CMakeLists.txt or you can download a precompiled release.
    • SIP must be disabled on the host for ESDump to work.
    • The NEDump app bundle must be copied to /Applications/ to work.
  • Any of the phantom_v1 can be compiled on Linux using the Makefile.
  • To use, bpftool must be installed.
  • The frida Python package is required by