VulnTech EDR Overview – VulnTech Notes

Endpoint Detection and Response (EDR) is a security solution designed to monitor, detect, analyze, and respond to threats on endpoints such as laptops, servers, virtual machines, and cloud workloads.
Unlike traditional antivirus, EDR focuses on behavior, telemetry, and continuous monitoring, allowing SOC analysts to detect advanced attacks like fileless malware, lateral movement, credential theft, and persistence mechanisms.

This chapter explains EDR in full-scale SOC depth, including components, telemetry, detection logic, workflows, and practical examples.

What EDR Does

EDR provides visibility into endpoint activity by collecting and analyzing:

Process creation
Command-line arguments
File modifications
Network connections
Registry changes
Memory activity
Module loading
Execution behavior
User activity
Script execution (PowerShell, Bash, WMI)

This telemetry allows SOC teams to reconstruct attacker behavior in real time.

Core Capabilities of EDR

1. Continuous Endpoint Monitoring

EDR agents run on every host and collect data 24/7.

Monitored activity includes:

Process execution
Network connections
DLL loads
Registry writes
Driver loads
Script execution

This provides a granular, timeline-based view of everything happening on an endpoint.

2. Behavior-Based Detection

Unlike signature-based antivirus, EDR detects:

Abnormal process trees
Suspicious parent-child relationships
C2 beaconing attempts
Credential access attempts
Persistence mechanisms
Memory injections

Example:

WINWORD.exe → powershell.exe → curl payload.exe

This is suspicious regardless of file signature.

3. Threat Intelligence Integration

EDR checks:

Hash reputation
IP/domain reputation
Malware family classification

Example:

SHA256 matches AgentTesla malware

4. Automated Responses

EDR can:

Kill processes
Quarantine files
Isolate hosts from the network
Block execution
Roll back ransomware changes
Terminate malicious sessions

Automated response greatly reduces attacker dwell time.

5. Threat Hunting Capabilities

Analysts can run queries like:

process_name: powershell AND commandline: *enc*

or:

network_connection: outbound AND remote_port: 4444

EDR allows deep endpoint investigation across days or months of telemetry.

EDR Architecture (How It Works)

EDR consists of four major components:

1. Endpoint Agent

Installed on Windows, Linux, macOS, or cloud machines.

It collects:

Syscalls
File events
Registry activity
Script execution
Network telemetry

2. Cloud Platform / Backend

Processes:

Telemetry
Behavioral analytics
Machine learning classification
Alert prioritization

3. Detection Engine

Detects:

Known malware
Unknown malware (behavior-based)
Lateral movement patterns
Script abuse (PowerShell, WMI, Bash)
Exploitation attempts

4. EDR Console

Used by SOC teams for:

Investigations
Timeline analysis
Threat hunting
Incident response
Host isolation
Containment actions

Endpoint Telemetry Collected by EDR

Below is the exact data EDR collects, which SOC analysts rely on.

Process Telemetry

Process creation
Parent/child relationships
Command-line arguments
Loaded modules

File Telemetry

File creation
File modification
File deletion
File hashes

Registry Telemetry (Windows)

Run keys
Services
WMI persistence
Scheduled tasks

Script Telemetry

PowerShell logs
WMIC usage
Bash scripts
Python/Node scripts executed

Network Telemetry

Outbound connections
Inbound connections
Remote IPs
Ports
Protocols

Memory Telemetry

Code injection
Reflective DLL loading
Shellcode execution

This is the visibility that allows detection of advanced threats.

How SOC Analysts Use EDR

1. Investigating Alerts

Analysts see:

What executed
How it executed
What it did
Where it connected
What files it touched

EDR builds a full kill chain for the analyst.

2. Threat Hunting

For behaviors such as:

Encoded PowerShell
C2 patterns
Credential dumping
DLL sideloading
Crypto miner indicators

Example query:

event.type: process AND commandline:*frombase64string*

3. Incident Response

EDR enables:

Host isolation
Process killing
File quarantine
Blocking execution
Evidence capture

Example:

Isolate HOST01 from network → stop C2 communication immediately

4. Malware Analysis

EDR provides:

Process trees
Behavior patterns
Memory artifacts
Dropped files

Analysts use this to identify malware families.

5. Detection Engineering

EDR data helps create:

Sigma rules
Custom detection logic
Correlation rules
Threat hunting queries

EDR greatly enhances SIEM detection accuracy.

Practical Examples of EDR in Action

Example 1 — Detecting Fileless Malware

EDR sees:

WINWORD.exe → powershell.exe → Invoke-Expression
Encoded command

This immediately triggers a high-severity alert.

Example 2 — Credential Theft Detection

process: attacker.exe
target: lsass.exe
access: memory_read

EDR blocks or isolates automatically.

Example 3 — C2 Communication

EDR logs:

powershell.exe → https://checkin-sync.biz/status

Combined with DNS and firewall logs, SOC escalates incident.

Example 4 — Crypto Miner Detection

xmrig.exe high CPU usage
Outbound to pool.minexmr.com
Persistence via scheduled task

EDR identifies miner quickly.

Example 5 — Lateral Movement Detection

EDR telemetry:

psexec.exe connecting to multiple hosts

SOC begins containment to block spread.

Intel Dump

EDR continuously monitors endpoints for malicious behavior using telemetry and analytics.
EDR detects fileless malware, process injections, suspicious scripts, and C2 activity.
Key components include endpoint agent, backend analytics, detection engine, and EDR console.
SOC uses EDR for investigations, threat hunting, IR actions, and detection engineering.
EDR provides detailed telemetry: process, file, registry, network, script, and memory activity.
EDR enables fast containment through host isolation, blocking, and process control.