VirtualAlllocEx

VirtualAlllocEx / CS-EDR-Enumeration

Public

Cobalt Strike Aggressor Script for identifying security products on Windows hosts — six enumeration methods rated by noise level, from silent in-process BOF to full PowerShell/WMI.

aggressor-script beacon-object-file bof cobalt-strike cobaltstrike-cna
37
3
69% credibility
Found Feb 07, 2026 at 23 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
C
AI Summary

Cobalt Strike Aggressor script and companion tool for detecting antivirus, endpoint protection, EDR, and monitoring products on Windows hosts via methods ranked by detection risk.

How It Works

1
🔍 Discover the Detector

You find a handy GitHub project that quietly spots security software like antivirus and monitoring tools on test computers.

2
📥 Add to Your Toolkit

You copy the main script into your security testing program, unlocking simple commands to check for protections.

3
🔨 Prepare Quiet Scanner

You follow easy steps to create a super-silent scanner that checks inside without starting new programs.

4
🚀 Launch Silent Checks

On the test computer you've reached, you run the quietest scans to peek at running processes, services, and hidden drivers.

5
📊 See Clear Results

A colorful list appears showing detected security products, grouped by type with threat levels marked.

🎯 Know the Defenses

You're now fully aware of all protections on the machine and can continue your test smartly and safely.

Sign up to see the full architecture

4 more

Sign Up Free

Star Growth

See how this repo grew from 23 to 37 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is CS-EDR-Enumeration?

This Cobalt Strike aggressor script adds six commands to your beacons for spotting EDR, AV, EPP, and telemetry products on Windows hosts via processes, services, and kernel drivers. It solves the irony of noisy PowerShell scans alerting the defenses you're trying to find, offering options from silent in-process BOF to full WMI queries, all rated by noise level. Built with an Aggressor script and C-based BOF, it covers 48 vendors like CrowdStrike and SentinelOne, spitting out color-coded threat levels.

Why is it gaining traction?

Zero-artifact starters like edr_check and edr_services_bof give full visibility without child processes or ETW hits, unlike basic Cobalt Strike beacon PS tricks. Built-in matrices detail artifacts vs. coverage, plus edr_help for offline reference—perfect for Cobalt Strike 4.11/4.12 ops with github cobalt strike profiles or sleep masks. Operators love the workflow: start silent, escalate if needed, all in one Aggressor load.

Who should use this?

Red teamers running Cobalt Strike C2 on Windows beacons during authorized pentests, especially after initial access when you need quick EDR intel without burning OPSEC. Ideal for ops blending aggressor scripts with BOF for low-noise post-exploitation, like verifying kernel callbacks post-service-kill.

Verdict

Grab it if you're deep in Cobalt Strike malware evasion—thorough docs and MIT license make it plug-and-play after a quick BOF compile. With 31 stars and a 0.7% credibility score, it's early but battle-tested for real engagements; contribute signatures to boost coverage.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.