Challenge 30: Read the Signature Database
Objective
The signature database is a plaintext file on disk. Read it to learn exactly which hashes the EDR knows about, then avoid them.
Prerequisites
Start the EDR with signatures loaded:
edr_agent.exe --signatures signatures/malware_hashes.txt --verbose --no-kill
Scanner Behavior
The --signatures parameter points to a plaintext file. The path is passed on the command line — visible to any process that can enumerate the EDR’s command line or simply guess common paths.
proc loadSignatures(path: string): int =
for line in lines(path):
let stripped = line.strip()
if stripped.startsWith("#"): continue
...
Rules
- Find and read the signature file
- Identify all known hashes
- Use this intel to craft or select a binary that avoids every listed hash
Hints
Hint 1
Check the EDR's command line:wmic process where "name='edr_agent.exe'" get commandline
Hint 2
The signature file path is right there in--signatures signatures/malware_hashes.txt. Just read the file.
MostShittyEDR