Update enum_av Added Trellix EDR

termanix · web-flow · commit 5b186f42951a · 2024-07-17T22:58:26.000+03:00
Signed-off-by: termanix &lt;50464194+termanix@users.noreply.github.com&gt;
diff --git a/nxc/modules/enum_av.py b/nxc/modules/enum_av.py
@@ -358,6 +358,27 @@ def LsarLookupNames(self, dce, policyHandle, service):
                 {"name": "sophoslivequery_*", "processes": [""]}
             ]
         },
+        {
+            "name": "Trellix Endpoint Detection and Response (EDR)",
+            "services": [
+                {"name": "McAfee Endpoint Security Platform Service", "description": "Trellix Core Service"},
+                {"name": "mfemactl", "description": "Trellix Management Service"},
+                {"name": "mfemms", "description": "McAfee Management Service"},
+                {"name": "mfefire", "description": "Trellix Firewall Core Service"},
+                {"name": "masvc", "description": "Trellix Agent Service"},
+                {"name": "macmnsvc", "description": "Trellix Agent Common Service"},
+                {"name": "mfetp", "description": "Trellix Endpoint Threat Prevention Service"},
+                {"name": "mfewc", "description": "Trellix Endpoint Security Web Control Service"}, 
+                {"name": "mfeaack", "description": "Trellix Anti-Malware Core Service"}
+            ],
+            "pipes": [
+                {"name": "TrellixEDR_Pipe_*", "processes": ["McAfeeEDR.exe"]},
+                {"name": "mfemactl_*", "processes": ["mfemactl.exe"]},
+                {"name": "mfefire_*", "processes": ["mfefire.exe"]},
+                {"name": "McAfeeAgent_Pipe_*", "processes": ["McAfeeAgent.exe"]},
+                {"name": "mfetp_*", "processes": ["mfetp.exe"]}
+            ]
+        },
         {
             "name": "Trend Micro Endpoint Security",
             "services": [
