Invoke-EDRChecker: Checks running processes, process metadata, Dlls loaded into your current process
Invoke-EDRChecker will check running processes, process metadata, Dlls loaded into your current process and each DLLs metadata, common install directories, installed services, the registry and running drivers for the presence of known defensive products such as AV’s, EDR’s and logging tools.
This script can be loaded into your C2 server as well for example in PoshC2, place the script into your modules directory, load the module then run it. Note: this script is now included in PoshC2 so no need to manually add it.
The script also has the capacity to perform checks against remote targets if you have the privileges to do so, these checks are presently limited however to process checking, common install directories and installed services.
git clone https://github.com/PwnDexter/Invoke-EDRChecker.git
Once the script has been loaded into your host or C2 of choice, you can use the following commands:
Run the script against the local host and perform checks based on current user integrity:
Run the script and force registry checks to be performed (for use when you are not running as admin):
Run the script against a remote host, this test connectivity and try to resolve the hostname before running:
Invoke-EDRChecker -Remote <hostname>
To bypass the pre-checks for remote hosts use -Ignore flag to bypass connectivity checks
Invoke-EDRChecker -Remote <hostname> -Ignore
If processes and drivers are hidden and still found:
If running as non-admin to show visibility difference:
Using EDR-Checker with PoshC2:
Copyright (c) 2019, Ross
All rights reserved.