EDR Basics

What EDR Actually Does

Endpoint detection and response is security software focused on endpoint visibility, detection, investigation, and response.
Instead of only checking whether a file is known malware (traditional antivirus), EDR watches behavior at the OS and kernel level — process creation, command-line activity, file changes, logons, network connections, registry modifications, and suspicious parent-child process relationships.
Good EDR alerts should be near real time, actionable, and connected to enough evidence for an analyst to understand scope without chasing a dozen different log sources.
EDR differs from antivirus in its response capability: isolate a host, kill a process, quarantine a file, collect a memory dump, run a script — all from the console without needing hands on the keyboard.

EDR Telemetry Sources — What Your EDR Collects

The value of EDR depends entirely on the breadth and depth of its telemetry. A sensor that only records process creation is blind to half the attack surface.

Telemetry Type	What It Captures	Windows Event ID	Analyst Use
Process creation	Parent PID, child PID, command line, user, image path	4688 (EventID 1 in Sysmon)	Core of every investigation. Identify suspicious parent-child relationships (e.g., `winword.exe` spawning `powershell.exe`)
Network connections	Source IP, dest IP, port, protocol, process that initiated the connection	5156 (Windows Filtering Platform), Sysmon EventID 3	Identify C2 beaconing, data exfiltration, lateral movement traffic
File creation / modification	File path, user, process that created the file, old vs. new hashes	4663, Sysmon EventID 11	Detect malware drops, script files, renamed executables
Registry changes	Key path, value name, old data, new data, process	4657, Sysmon EventID 12-14	Detect persistence mechanisms (Run keys), defense evasion (tampering with security settings)
Script execution	PowerShell, WMI, JScript, VBScript execution with full command line	4104 (PowerShell ScriptBlock Logging), 4688	Detect in-memory execution, encoded commands, LOLBins
Scheduled task creation	Task name, trigger, action, user	4698, Sysmon EventID 1 (via taskeng.exe spawn)	Detect persistence via scheduled tasks
Service creation / modification	Service name, image path, start type, user	7045 (Service Install), Sysmon EventID 1	Detect persistence via services, service binary hijacking
Driver load	Driver name, image path, hash, signature	Sysmon EventID 6	Detect kernel-mode rootkits, vulnerable driver abuse (Bring Your Own Vulnerable Driver)
DNS query	Query domain, process, result	Sysmon EventID 22 (must be enabled)	Detect DGA, DNS tunneling, C2 callbacks
Logon / logoff	Logon type (2=interactive, 3=network, 10=remote), source IP, account	4624, 4625, 4648	Detect lateral movement, brute-force attempts, anomalous logon patterns
Process access	Which process opened a handle to another process (e.g., LSASS access)	Sysmon EventID 10	Detect credential dumping (`lsass.exe` access by `procdump.exe` or `mimikatz.exe`)
Named pipe creation / connection	Pipe name, process creating and connecting to pipe	Sysmon EventID 17, 18	Detect Cobalt Strike named pipe communication, lateral movement

Critical Telemetry Gaps to Check

Gap	Why It Matters	How to Verify
PowerShell ScriptBlock Logging disabled	Blocks visibility into obfuscated PowerShell commands	Check `HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging`
Sysmon not installed	Missing EventID 1 (detailed process tree), EventID 10 (process access), EventID 3 (network), EventID 22 (DNS)	Check services.msc or `Get-Service Sysmon*`
Command-line logging disabled	Process creation events with no command line = useless	Check `HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableCommandLineToEventLog`
DNS query logging not enabled	EDR cannot detect DNS tunneling or DGA	Enable Sysmon EventID 22 or DNS query logging at the EDR sensor level
4688 process auditing not configured	EDR relies on OS audit policies — disablement = blind	Check `secpol.msc → Advanced Audit Policy → Detailed Tracking → Audit Process Creation`

Detection — EDR Alert Triage

Step-by-Step Triage Workflow

When an EDR alert fires, do not click “resolve” until you have answered every question in this workflow:

Alert received
    │
    ▼
Step 1: Determine the alert type
   ├─ Malware detection (file hash match, AMSI trigger, signature match)
   ├─ Behavioral detection (suspicious process tree, anomalous network connection)
   ├─ Indicator match (IOC match from threat intel)
   └─ Custom rule trigger (detection rule written by your team)
    │
    ▼
Step 2: Examine the process tree
   ├─ What process spawned the alerting process?
   ├─ What did the alerting process spawn?
   ├─ What command line arguments were passed?
   ├─ Is the process running from a normal location? (C:\Windows\System32 vs C:\Users\Public\Downloads)
   └─ Is the process signed? (Microsoft signed? Signed by an unknown publisher?)
    │
    ▼
Step 3: Scope the host
   ├─ What network connections did it make in the last 24 hours?
   ├─ What file system changes preceded the alert? (script files dropped? DLLs written?)
   ├─ What registry persistence mechanisms were created?
   ├─ What other processes ran under the same user account?
   └─ Is the host domain-joined? (enables lateral movement analysis)
    │
    ▼
Step 4: Scope the environment
   ├─ Does the same indicator appear on other endpoints?
   ├─ Is this a known attacker behavior pattern? (common TTP mapping)
   ├─ Does the parent process correlate with a known campaign?
   └─ Have any other alerts fired in the same time window?
    │
    ▼
Step 5: Determine response
   ├─ Isolate the host (immediately if high confidence / active C2)
   ├─ Kill the process
   ├─ Quarantine the file
   ├─ Collect a full memory dump
   └─ Initiate formal incident response process if evidence suggests hands-on-keyboard activity

Critical Indicators by EDR Telemetry Type

Process tree anomalies (always investigate):

Parent Process	Child Process	Likely TTP
`winword.exe` / `excel.exe`	`powershell.exe` / `cmd.exe`	Malicious macro — T1204 (User Execution), T1059 (Command and Scripting Interpreter)
`outlook.exe`	`powershell.exe` / `wscript.exe`	Email-based initial access with script execution
`wmiprvse.exe`	`powershell.exe` / `cmd.exe`	WMI lateral movement — T1047 (Windows Management Instrumentation)
`svchost.exe`	`regsvr32.exe`	DLL execution via COM or service — T1218.010 (Regsvr32)
`explorer.exe`	`powershell.exe` with `-EncodedCommand`	User double-clicked a malicious script — T1204.002
`services.exe`	binary in non-standard path (`C:\Users\Public\`)	Service persistence with suspicious binary — T1543.003
`taskeng.exe`	`powershell.exe` / `cmd.exe`	Scheduled task persistence or execution — T1053.005

Memory / handle access anomalies:

Target Process	Source Process	Suspicious?
`lsass.exe`	any process other than `Lsaiso.exe`, `TrustedInstaller.exe`, or `Csrss.exe`	YES — possible credential dumping (T1003.001)
`winlogon.exe`	any non-system process	YES — possible credential dumping (T1003)
`svchost.exe` (LSASS-related)	non-system process	Investigate — possible credential or token manipulation

SPL Query — Find LSASS Handle Events

index=endpoint sourcetype=process_access
| search target_process="lsass.exe"
| where source_process!="Lsaiso.exe" AND source_process!="TrustedInstaller.exe" AND source_process!="Csrss.exe"
| eval alert = if(source_process IN ("procdump*", "mimikatz*", "powershell*"), "HIGH — known credential dumping tool accessing LSASS", "MEDIUM — unknown process accessing LSASS — investigate")
| eval alert_severity = if(alert LIKE "HIGH%", "high", "medium")
| stats values(access_mask) as AccessMask, count by host, source_process, source_process_id, user, alert, alert_severity
| sort - count
| table host, source_process, user, AccessMask, count, alert

SPL Query — Find Suspicious Process Trees (Office → Script Host)

index=endpoint sourcetype=process_creation
| search parent_process IN ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe")
| search child_process IN ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe")
| eval alert = "HIGH — " . parent_process . " spawned " . child_process . " — malicious macro or document exploit"
| table _time, host, user, parent_process, parent_command_line, child_process, child_command_line, alert
| sort _time desc

EDR Vendor Comparison

No EDR is perfect. Each has strengths, blind spots, and operational trade-offs. The table below reflects common analyst experience as of early 2026.

Vendor	Core Strengths	Known Blind Spots	Best For
Microsoft Defender for Endpoint	Deep Windows integration (kernel-level), excellent process tree visualization, built-in incident graph, strong for Azure/M365 environments	Linux and macOS coverage is weaker than Windows; Linux agent can be resource-heavy; alert tuning requires ongoing effort	Microsoft-first shops; Windows-heavy environments; Azure customers
CrowdStrike Falcon	Lightweight agent, strong cloud-native architecture, excellent threat intelligence overlay, fast detection triage	No on-premises management option; Linux/container coverage is good but less mature than Windows; higher per-endpoint cost	Cloud-native environments; MSSPs; orgs with heavy container or Linux workloads
SentinelOne Singularity	Strong autonomous response (automatic rollback), cross-platform (Windows, macOS, Linux), good ransomware protection via behavioral AI	Alert details can be less granular than competitors; custom detection rules (STAR rules) are more limited than custom Sigma/Splunk rules; false positive tuning takes time	Orgs that want automated response; ransomware-focused environments; small SOC teams
Carbon Black (VMware/Broadcom)	Deep process-level telemetry recording, strong for post-breach forensics with full event replay, earlier to market so mature detection libraries	UI can feel dated compared to modern EDRs; Broadcom acquisition introduced pricing and support uncertainty; response capabilities less automated	Orgs with existing VMware investment; forensics-heavy workflows; mature SOC teams that want full telemetry
Cortex XDR (Palo Alto)	Network + endpoint telemetry correlation (combines firewall, EDR, and cloud data), strong analytics, XQL query language for deep threat hunting	Heavy agent; complex deployment; steep learning curve for custom queries	Palo Alto customers; orgs that want network + endpoint convergence; large enterprise
Cybereason	Good process tree visualization (MalOp graph), strong correlation across telemetry types, intuitive UI	Smaller market share → fewer community detection rules; alert customization less flexible than CrowdStrike or SentinelOne	Orgs that prioritize visual investigation flows; mid-market

Critical Evaluation Questions for Any EDR

Can the agent survive a kernel-level attack? Does the sensor run in kernel mode? Can an attacker kill the agent with a simple taskkill?
How does your EDR handle offline detection? If the host is disconnected from the network for 8 hours, does it replay telemetry on reconnect?
What is the storage retention period? How far back can you search telemetry? 30 days? 90 days? 365 days?
Can you write custom detection rules? Natively? Via Sigma? Via YARA? The flexibility to write custom rules directly matters more than the pre-built rule count.
How does it handle macOS and Linux? If your environment is 50% Windows and 50% Linux, an EDR with weak Linux coverage leaves half your footprint unprotected.
API maturity: Can you ingest alerts into your SIEM via API? Can you trigger response actions via API for SOAR integration?
Agent resource consumption: CPU, memory, disk usage during baseline and during heavy scan. High overhead = user complaints = agents disabled.

EDR Bypass Techniques — How Attackers Evade Endpoint Sensors

Understanding EDR bypass is critical for analysts. When an EDR fails to detect an attack, it is often because the attacker used a known bypass technique — not because the EDR is broken.

Technique	How It Works	Detection Signal
DLL sideloading	Place a malicious DLL in the search path of a legitimate signed executable	DLL load events from non-standard paths; unsigned DLL loaded by signed executable (Sysmon EventID 7)
Process hollowing	Create a legitimate process in a suspended state, unmaps its original code, injects malicious code into the process memory, resumes the thread	Unusual parent-child relationships; process creation followed by unexpected memory allocation (Sysmon EventID 8 — CreateRemoteThread)
Reflective DLL injection	Load a DLL directly from memory without touching disk — no file to scan	Process access events (Sysmon EventID 10); memory region creation with RWX permissions (Sysmon EventID 7); no corresponding file creation for the loaded module
Living off the land (LOLBins)	Use built-in Windows tools (PowerShell, WMI, certutil, bitsadmin, mshta) for malicious purposes	Command-line anomalies (PowerShell with `-EncodedCommand`); WMI process creation; BITS job creation for download)
ETW tampering	Disable or patch Event Tracing for Windows (ETW) providers that the EDR relies on	ETW session termination events; `EtwEventWrite` function patching; service or driver tampering that affects `NtTraceEvent`
Userland API hooking evasion	Unhook or bypass EDR DLL hooks by loading clean ntdll.dll or using direct syscalls	Suspicious memory allocation patterns; syscall instruction sequence detection; unexpected `ntdll.dll` loading patterns
EDR agent process termination	Kill the EDR sensor process or service	Service stop events (EventID 7036); process termination events; gap in telemetry from a host
Driver blocklisting (BYOVD)	Load a legitimate but vulnerable driver to disable or bypass kernel-mode EDR components	Driver load events (Sysmon EventID 6); known vulnerable driver hash matches (check Microsoft’s vulnerable driver blocklist)
Certificate impersonation	Sign malware with a stolen or forged code signing certificate	Telemetry gap during certificate validation; process runs signed with unexpected publisher name
Indirect syscalls	Execute syscalls by hijacking the return address of a legitimate syscall in `ntdll.dll`	Hard to detect without kernel-mode EDR; call stack analysis in memory; behavioral detection (what the process does, not how it does it)

SPL Query — Detect Potential Process Injection (CreateRemoteThread)

index=endpoint sourcetype=process_access
| search access_mask="0x1FFFFF" (full access) OR access_mask="0x43A" (thread creation)
| eval alert = if(source_process="svchost.exe" OR source_process="wmiprvse.exe", "MEDIUM — unexpected CreateRemoteThread from " . source_process, "HIGH — CreateRemoteThread detected from " . source_process . " to " . target_process)
| table _time, host, source_process, source_process_id, target_process, target_process_id, access_mask, alert
| sort _time desc

EDR Triage Decision Matrix

When multiple alerts fire simultaneously, prioritize by this matrix:

Alert Type	Priority	Triage Steps
LSASS access by non-system process	Critical	Immediately isolate the host. Credential dumping is an active attack with lateral movement risk.
C2 beaconing (regular callbacks to unknown IP)	Critical	Identify C2 IP, block at firewall. Isolate host. Collect full memory dump before containment.
Ransomware behavior (mass file encryption)	Critical	Isolate immediately. Identify patient zero. Check for lateral movement before containment.
Malicious macro execution (Office → PowerShell)	High	Kill the process chain. Quarantine the document. Check email logs for same attachment to other users.
Suspicious scheduled task creation	High	Examine the task action and trigger. Check if the binary is known-good. Correlate with any preceding alerts.
Unknown service creation	Medium	Examine the service binary path, hash, signature. Check VirusTotal. Determine if admins were aware.
Beacon to known-bad domain	High	Block DNS query at resolver. Isolate host. Determine infection vector.
USB device connection (first time / new device)	Low	Check if the device was expected. If not, escalate. USB-based attacks are rare but high impact.
PowerShell with `-EncodedCommand`	High	Decode and inspect the command. Check the parent process. Most legitimate admin scripts do not use encoded commands.
Anomalous outbound SMB traffic	Critical	SMB over the internet is almost never legitimate. Isolate the host and investigate immediately.

Prevention and Hardening — EDR Configuration Best Practices

Deployment-Level Controls

Control	Implementation
Agent coverage	100% of endpoints must have an active EDR agent. No exclusions without documented justification and SOC approval.
Agent health monitoring	Dashboard showing agent version, last check-in time, telemetry health. Alert on any host with check-in > 30 minutes stale.
Tamper protection	Enable tamper protection on all endpoints. Prevents users (even admins) from stopping the EDR service.
Real-time protection	Enable real-time scanning and behavior monitoring. Do not rely on scheduled scans only.
Cloud-delivered protection	Enable cloud-based ML and reputation lookups. Offline-only detection misses new variants.
Attack surface reduction (ASR) rules	Enable ASR rules (Windows Defender): block Office apps from creating child processes, block script execution, block persistence via WMI.
Network protection	Enable network protection to block outbound connections to known-bad IPs and domains at the endpoint level.

Rule-Level Controls

Best Practice	Why
Start with block mode for critical families (ransomware, credential dumping)	Fewer false positives than strict block mode on everything. Tune alert rules first, then switch to block.
Create custom detection rules for high-value assets	Domain controllers, certificate servers, file servers, SQL servers — each needs behavioral rules tailored to its normal baseline.
Use exclusions sparingly and always log them	Every exclusion is a blind spot. Document the business reason, approve via change control, and audit monthly.
Integrate EDR alerts with SIEM	EDR telemetry alone is insufficient. Correlating with email logs (`exchange`), DNS logs, and network flow data gives the full picture.
Enable automatic response for high-confidence alerts	For known ransomware patterns or LSASS access by unknown tools, auto-isolate the host. Speed matters — minutes can mean the difference between containment and encryption.

Analyst Workflow Integration

Practice	How
Daily EDR alert triage	Review all unacknowledged alerts within 2 hours. Document findings in the case management system.
Weekly threat hunting	Run 3-5 hunting queries weekly (process tree anomalies, logon anomalies, LoLBins execution). Document findings even if negative.
Monthly rule tuning	Review false positives and missed detections. Adjust detection rules. Retire rules that produce 100% noise.
Quarterly agent health review	Check agent versions, patch levels, and telemetry completeness. Update stale agents. Fill deployment gaps.

Indicators: IoC, IoA, and TTP — covers the indicators: ioc, ioa, and ttp concepts
Kill Chain — covers the kill chain concepts
Living-off-the-Land Binaries — how living-off-the-land binaries attacks work and how to detect them
Process Injection (T1055) — detection and response for T1055 techniques
XSS — detection and response for T1059.007 techniques