Owlglass

Endpoint Detection and Response

Endpoint Detection and Response

Basics

Generally, EDRs are applications installed on a target’s endpoints that collect data about the security of the environment - telemetry.

Components

  • Agent: an application that controls and consumes data from sensor components, performs some basic threat analysis, and forwards the telemetry to the main server, which further analyzes events from all agents deployed in an environment. In response to activity deemed malicious, the agent may:
    • log that malicious activity, sending an alert to a central logging system – eg the EDR’s dashboard or a security incident and event management (SIEM) solution
    • block the malicious operation’s execution by returning values indicating failure to the program that is performing the action
    • deceive the attacker by returning to the caller invalid values, such as incorrect memory addresses or modified access masks, causing the offensive tooling to believe that the operation completed successfully even though subsequent operations will fail
  • Telemetry: the raw data generated by a sensor component or the host. Every action on the system generates some form of telemetry, and these become data points for the security tool’s alerting logic, eg based on environmental heuristics or static signature libraries
  • Sensors: intercept data flowing through an internal process, extract information, and forward it to the central agent.

The offensive side of things want to prevent, limit, or normalize the flow of telemetry collected by the sensor with the of reducing the number of datapoints that the product could use to create high-fidelity alerts or prevent our operation from executing. Essentially, trying to generate a false negative.

Sources

Evading EDR - Matt Hand