Tools for analyzing EDR agents. For details, see our blog post.
- ESDump - macOS Endpoint Security client that dumps events to
stdout - NEDump - macOS content filter provider that dumps socket flow data to
stdout - attacks/phantom_v1 - A collection of POCs that bypass different Linux syscalls using the Phantom V1 TOCTOU vulnerability
- dump_ebpf.sh - Linux eBPF program and map enumeration script
- hook.py - Frida loader with scripts for inspecting key macOS monitoring functions
- ESDump and NEDump can be compiled on macOS using CMakeLists.txt or you can download a precompiled release.
- SIP must be disabled on the host for ESDump to work.
- The NEDump app bundle must be copied to
/Applications/to work.
- Any of the phantom_v1 can be compiled on Linux using the Makefile.
- To use dump_ebpf.sh, bpftool must be installed.
- The frida Python package is required by hook.py.
- NEDump is based on LuLu from Objective-See
- Phantom V1 was created by Rex Guo and Junyuan Zeng for DEF CON 29.
- The es_subscribe Frida script is heavily based on Red Canary's Mac Monitor wiki and es_subscribe script.