DEV.co
Open-Source Security · FourCoreLabs

EDRHunt

EDRHunt is a Windows-focused command-line tool that detects installed endpoint detection and response (EDR) and antivirus software by scanning processes, services, drivers, registry, and WMI. Written in Go and MIT-licensed, it helps security teams and red-teamers identify what defensive tools are running on target systems.

Source: GitHub — github.com/FourCoreLabs/EDRHunt
607
GitHub stars
80
Forks
Go
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryFourCoreLabs/EDRHunt
OwnerFourCoreLabs
Primary languageGo
LicenseMIT — OSI-approved
Stars607
Forks80
Open issues2
Latest releasev1.6.0 (2025-12-10)
Last updated2026-03-31
Sourcehttps://github.com/FourCoreLabs/EDRHunt

What EDRHunt is

EDRHunt performs multi-layer forensic scanning (processes, services, drivers, WMI, registry) against a curated keyword database covering 22+ EDR/AV vendors. Execution requires Windows and benefits from elevated privileges; binaries are pre-built for windows/amd64, and the codebase is Go1.17+. Detection is signature-based via keyword matching against file metadata and system artifacts.

Quickstart

Get the EDRHunt source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/FourCoreLabs/EDRHunt.gitcd EDRHunt# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Red Team Engagement & Security Assessment

Quickly enumerate EDR/AV presence before executing post-exploitation tactics, reducing false starts and improving operational efficiency during authorized penetration tests.

Internal Security Posture Audit

Verify that expected defensive tools are deployed across Windows endpoints; identify gaps or rogue installations in corporate environments.

Incident Response & Triage

Establish baseline defensive software inventory at compromise time to understand what monitoring and containment capabilities were active during the incident.

Implementation considerations

  • Requires admin/elevated privileges for complete scanning (WMI, registry, drivers); user-mode execution yields incomplete results and explicit warnings.
  • Keyword database (22+ EDR vendors) may lag against newly rebranded or emerging security products; maintenance cadence and update frequency are critical.
  • Output is text-based and unstructured; parsing or reformatting for SIEM/logging integration requires custom wrapper scripts.
  • False positives possible: generic keywords like 'defender' or 'malware' may flag non-EDR services or processes; manual verification recommended.
  • No authentication, encryption, or audit logging built in; execution on production systems should be logged and authorized separately.

When to avoid it — and what to weigh

  • Multi-Platform Requirement — EDRHunt is Windows-only; it cannot scan macOS or Linux endpoints. Use platform-agnostic alternatives if cross-OS scanning is mandatory.
  • Behavior-Based or Heuristic Detection Needed — This tool relies on static keywords and file metadata. It cannot detect advanced EDRs that mask process names or use obfuscated driver names; evasion-hardened solutions are required for that.
  • Passive Network-Level Monitoring — EDRHunt runs locally on the target host and cannot remotely enumerate EDR from the network. If passive reconnaissance from a remote vantage point is required, choose a different approach.
  • Centralized Multi-Endpoint Reporting — No built-in agent, API, or reporting backend. Each scan is standalone CLI output; for fleet-wide visibility, manual orchestration or custom scripting is needed.

License & commercial use

EDRHunt is licensed under the MIT License, an OSI-approved, permissive open-source license.

MIT License permits commercial use, modification, and distribution provided original license and copyright notice are retained. However, no warranty or liability limitations specific to this project are offered beyond standard MIT terms. Review compliance with your organization's open-source policy and consult legal counsel for production deployment in regulated or high-risk environments.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitPossible
Assessment confidenceHigh
Security considerations

EDRHunt is a forensic enumeration tool, not a protective control. Execution itself is detectable by the EDR/AV being scanned (process creation, registry/driver enumeration triggers alerts). No built-in stealth; assumes already-compromised or authorized context. Keyword-based detection is signature-prone to evasion (renamed drivers, obfuscated binary names). Consider detection risk before use on live endpoints in adversarial scenarios.

Alternatives to consider

Get-MpComputerStatus (PowerShell)

Native Windows cmdlet limited to Windows Defender only; simpler but far narrower scope and requires PowerShell/WinRM access.

Process Explorer / Autoruns (Sysinternals)

Manual GUI-based inspection of processes, drivers, and registry; platform-agnostic and trusted, but labor-intensive and not automated for scanning.

Elastic EDR Detection Rules / Osquery

Agent-based, cross-platform, and provides centralized telemetry; higher overhead and requires infrastructure, but better for enterprise fleet management.

Software development agency

Build on EDRHunt with DEV.co software developers

Our security experts can guide you through integrating EDRHunt into your assessment workflow, building custom detection rules, or architecting comprehensive endpoint monitoring. Contact us to discuss your specific security posture and compliance requirements.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

EDRHunt FAQ

Do I need admin rights?
No, but user-mode execution is limited. EDRHunt prints a warning and skips WMI, registry, and driver scans in non-admin mode. Elevated privilege is strongly recommended for complete results.
Can it detect EDRs that hide their process names or drivers?
Not reliably. EDRHunt uses static keyword matching. Modern EDRs using code injection, encryption, or obfuscation may evade detection. It is best-effort for standard deployments.
What happens if EDRHunt detects an EDR?
It reports the detected product name and optionally matched processes, drivers, or registry keys depending on scan mode. It does not interact, alert, or remove anything.
Is this legal to use?
EDRHunt itself is MIT-licensed software. Legality of use depends on your authorization and local law. Unauthorized system scanning or evasion is illegal; use only on systems you own or have explicit written permission to test.

Work with a software development agency

Adopting EDRHunt is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Need Help Assessing EDR Coverage or Red Team Tooling?

Our security experts can guide you through integrating EDRHunt into your assessment workflow, building custom detection rules, or architecting comprehensive endpoint monitoring. Contact us to discuss your specific security posture and compliance requirements.