• Stars
    star
    325
  • Rank 129,350 (Top 3 %)
  • Language
    Python
  • License
    BSD 3-Clause "New...
  • Created over 1 year ago
  • Updated 8 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

EDRaser is a powerful tool for remotely deleting access logs, Windows event logs, databases, and other files on remote machines. It offers two modes of operation: automated and manual.

EDRaser

Usage Guide

EDRaser is a powerful tool for remotely deleting access logs, Windows event logs, databases, and other files on remote machines. It offers two modes of operation: automated and manual.

Automated Mode

In automated mode, EDRaser scans the C class of a given address space of IPs for vulnerable systems and attacks them automatically. The attacks in auto mode are:

  • Remote deletion of webserver logs.
  • SysLog deletion (on Linux).
  • Local deletion of Windows Application event logs.
  • Remote deletion of Windows event logs.
  • VMX + VMDK deletion

To use EDRaser in automated mode, follow these steps:

python edraser.py --auto

Manual Mode

In manual mode, you can select specific attacks to launch against a targeted system, giving you greater control. Note that some attacks, such as VMX deletion, are for local machine only.

To use EDRaser in manual mode, you can use the following syntax:

python edraser.py --ip <ip_addr> --attack <attack_name> [--sigfile <signature file>]

Arguments:

  • --ip: scan IP addresses in the specified range and attack vulnerable systems (default: localhost).
  • --sigfile: use the specified encrypted signature DB (default: signatures.db).
  • --attack: attack to be executed. The following attacks are available: ['vmx', 'vmdk', 'windows_security_event_log_remote', 'windows_application_event_log_local', 'syslog', 'access_logs', 'remote_db', 'local_db', 'remote_db_webserver']

Optional arguments:

  • port : port of remote machine
  • db_username: the username of the remote DB.
  • db_password: the password of the remote DB.
  • db_type: type of the DB, EDRaser supports mysql, sqlite. (# Note that for sqlite, no username\password is needed)
  • db_name: the name of remote DB to be connected to
  • table_name: the name of remote table to be connected to
  • rpc_tools: path to the VMware rpc_tools

Example:

python edraser.py --attack windows_event_log --ip 192.168.1.133 

python EDRaser.py -attack remote_db -db_type mysql -db_username test_user -db_password test_password -ip 192.168.1.10

DB web server

You can bring up a web interface for inserting and viewing a remote DB. it can be done by the following command: EDRaser.py -attack remote_db_webserver -db_type mysql -db_username test_user -db_password test_password -ip 192.168.1.10

This will bring up a web server on the localhost:8080 address, it will allow you to view & insert data to a remote given DB. This feature is designed to give an example of a "Real world" scenario where you have a website that you enter data into it and it keeps in inside a remote DB, You can use this feature to manually insert data into a remote DB.

Available Attacks

In manual mode, EDRaser displays a list of available attacks. Here's a brief description of each attack:

  1. Windows Event Logs: Deletes Windows event logs from the remote targeted system.
  2. VMware Exploit: Deletes the VMX and VMDK files on the host machine. This attack works only on the localhost machine in a VMware environment by modifying the VMX file or directly writing to the VMDK files.
  3. Web Server Logs: Deletes access logs from web servers running on the targeted system by sending a malicious string user-agent that is written to the access-log files.
  4. SysLogs: Deletes syslog from Linux machines running Kaspersky EDR without being .
  5. Database: Deletes all data from the remotely targeted database.

More Repositories

1

pinjectra

Pinjectra is a C/C++ OOP-like library that implements Process Injection techniques (with focus on Windows 10 64-bit)
C++
785
star
2

SirepRAT

Remote Command Execution as SYSTEM on Windows IoT Core (releases available for Python2.7 & Python3)
Python
369
star
3

pwndsh

Post-exploitation framework (and an interactive shell) developed in Bash shell scripting
Shell
306
star
4

pacdoor

Proof-of-concept JavaScript malware implemented as a Proxy Auto-Configuration (PAC) File
Python
152
star
5

pyekaboo

Proof-of-concept program that is able to to hijack/hook/proxy Python module(s) thanks to $PYTHONPATH variable
Python
148
star
6

Back2TheFuture

Find patterns of vulnerabilities on Windows in order to find 0-day and write exploits of 1-days. We use Microsoft security updates in order to find the patterns.
C
146
star
7

hAFL2

A kAFL based hypervisor fuzzer which fully supports nested VMs
Python
133
star
8

CloudMiner

Execute code using Azure Automation service without getting charged
Python
127
star
9

DoubleDrive

A fully-undetectable ransomware that utilizes OneDrive & Google Drive to encrypt target local files
Python
122
star
10

wd-pretender

Python
115
star
11

SimpleBITSServer

A simple python implementation of a BITS server.
Python
101
star
12

BITSInject

A one-click tool to inject jobs into the BITS queue (Background Intelligent Transfer Service), allowing arbitrary program execution as the NT AUTHORITY/SYSTEM account
Python
97
star
13

mkmalwarefrom

Proof-of-concept two-stage dropper generator that uses bits from external sources
Python
96
star
14

spacebin

Spacebin is a proof-of-concept malware that exfiltrates data (from No Direct Internet Access environments) via triggering AV on the endpoint and then communicating back from the AV's cloud component.
Python
85
star
15

CortexVortex

Python
72
star
16

backdoros

backdorOS is an in-memory OS written in Python 2.7 with a built-in in-memory filesystem, hooks for open() calls and imports, Python REPL etc.
Python
65
star
17

aikido_wiper

Python
64
star
18

Spooler

C
57
star
19

AltFS

The Alternative Fileless File System
Python
54
star
20

HRS

Perl
43
star
21

RSFW

Request Smuggling Firewall
C++
43
star
22

cachetalk

Proof-of-concept program that is able to read and write arbitrary bits using HTTP server-side caching
Python
36
star
23

QuickShell

A library and a set of tools for exploiting and communicating with Google's Quick Share devices.
C++
31
star
24

BACE

Mapping of Binaries that allows Arbitrary Code Execution
24
star
25

CoWTools

Tools for analyzing Windows containers and break container's isolation
C++
21
star
26

blog-snippets

Repository of Code Snippets from various SafeBreach Blog posts
Python
5
star