Brandon Dalton Brandon7CC
🌉
Brandon7CC
/ enumerate_es_client_subscriptions.js
Created
December 16, 2023 01:29
Enumerate Endpoint Security event subscription requests made by an arbitrary client (e.g. an EDR sensor's System Extension)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Author: Brandon Dalton (Red Canary Threat Research) | |
| Date: 2023-12-07 | |
| Summary: This script enumerates the event subscriptions requested by an arbitrary client | |
| by hooking the `es_subscribe` function. | |
| Target: Any arbitrary ES client like an EDR sensor's System Extension | |
| Usage: `sudo frida -p $(TARGET_CLIENT) -l event_subscription_interceptor.js` | |
| */ |
Brandon7CC
/ es_coreanalytics_event_subs.js
Last active
May 6, 2025 19:55
Hook the CoreAnalytics sendEvent function call made by endpointsecurityd to uncover event subscriptions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Author: Brandon Dalton (Red Canary Threat Research) | |
| Date: 2023-12-07 | |
| Summary: This script attempts to instrument the `sendEvent:event:` method of the ESCoreAnalytics class. | |
| - Download this script | |
| - Target: You're targeting `endpointsecurityd`, so grab its PID: `sudo launchctl list | grep endpointsecurityd` | |
| - To run: `sudo frida -p $PID -l es_coreanalytics_event_subs.js` | |
| */ | |
| const eventTypeMapping = { |
NewerOlder