EDRHunt
EDRHunt is a Windows-focused command-line tool that detects installed endpoint detection and response (EDR) and antivirus software by scanning processes, services, drivers, registry, and WMI. Written in Go and MIT-licensed, it helps security teams and red-teamers identify what defensive tools are running on target systems.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | FourCoreLabs/EDRHunt |
| Owner | FourCoreLabs |
| Primary language | Go |
| License | MIT — OSI-approved |
| Stars | 607 |
| Forks | 80 |
| Open issues | 2 |
| Latest release | v1.6.0 (2025-12-10) |
| Last updated | 2026-03-31 |
| Source | https://github.com/FourCoreLabs/EDRHunt |
What EDRHunt is
EDRHunt performs multi-layer forensic scanning (processes, services, drivers, WMI, registry) against a curated keyword database covering 22+ EDR/AV vendors. Execution requires Windows and benefits from elevated privileges; binaries are pre-built for windows/amd64, and the codebase is Go1.17+. Detection is signature-based via keyword matching against file metadata and system artifacts.
Get the EDRHunt source
Clone the repository and explore it locally.
git clone https://github.com/FourCoreLabs/EDRHunt.gitcd EDRHunt# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires admin/elevated privileges for complete scanning (WMI, registry, drivers); user-mode execution yields incomplete results and explicit warnings.
- Keyword database (22+ EDR vendors) may lag against newly rebranded or emerging security products; maintenance cadence and update frequency are critical.
- Output is text-based and unstructured; parsing or reformatting for SIEM/logging integration requires custom wrapper scripts.
- False positives possible: generic keywords like 'defender' or 'malware' may flag non-EDR services or processes; manual verification recommended.
- No authentication, encryption, or audit logging built in; execution on production systems should be logged and authorized separately.
When to avoid it — and what to weigh
- Multi-Platform Requirement — EDRHunt is Windows-only; it cannot scan macOS or Linux endpoints. Use platform-agnostic alternatives if cross-OS scanning is mandatory.
- Behavior-Based or Heuristic Detection Needed — This tool relies on static keywords and file metadata. It cannot detect advanced EDRs that mask process names or use obfuscated driver names; evasion-hardened solutions are required for that.
- Passive Network-Level Monitoring — EDRHunt runs locally on the target host and cannot remotely enumerate EDR from the network. If passive reconnaissance from a remote vantage point is required, choose a different approach.
- Centralized Multi-Endpoint Reporting — No built-in agent, API, or reporting backend. Each scan is standalone CLI output; for fleet-wide visibility, manual orchestration or custom scripting is needed.
License & commercial use
EDRHunt is licensed under the MIT License, an OSI-approved, permissive open-source license.
MIT License permits commercial use, modification, and distribution provided original license and copyright notice are retained. However, no warranty or liability limitations specific to this project are offered beyond standard MIT terms. Review compliance with your organization's open-source policy and consult legal counsel for production deployment in regulated or high-risk environments.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Possible |
| Assessment confidence | High |
EDRHunt is a forensic enumeration tool, not a protective control. Execution itself is detectable by the EDR/AV being scanned (process creation, registry/driver enumeration triggers alerts). No built-in stealth; assumes already-compromised or authorized context. Keyword-based detection is signature-prone to evasion (renamed drivers, obfuscated binary names). Consider detection risk before use on live endpoints in adversarial scenarios.
Alternatives to consider
Get-MpComputerStatus (PowerShell)
Native Windows cmdlet limited to Windows Defender only; simpler but far narrower scope and requires PowerShell/WinRM access.
Process Explorer / Autoruns (Sysinternals)
Manual GUI-based inspection of processes, drivers, and registry; platform-agnostic and trusted, but labor-intensive and not automated for scanning.
Elastic EDR Detection Rules / Osquery
Agent-based, cross-platform, and provides centralized telemetry; higher overhead and requires infrastructure, but better for enterprise fleet management.
Build on EDRHunt with DEV.co software developers
Our security experts can guide you through integrating EDRHunt into your assessment workflow, building custom detection rules, or architecting comprehensive endpoint monitoring. Contact us to discuss your specific security posture and compliance requirements.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
EDRHunt FAQ
Do I need admin rights?
Can it detect EDRs that hide their process names or drivers?
What happens if EDRHunt detects an EDR?
Is this legal to use?
Work with a software development agency
Adopting EDRHunt is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.
Need Help Assessing EDR Coverage or Red Team Tooling?
Our security experts can guide you through integrating EDRHunt into your assessment workflow, building custom detection rules, or architecting comprehensive endpoint monitoring. Contact us to discuss your specific security posture and compliance requirements.