1. Let's understand EDR like a blue team

Sowhat am I dealing with? What am i trying to dodge?

1. EDR Architecture Overview

Windows EDR Components and Workflow

graph TD
    A[Windows Endpoint] -->|Agent Installed| B[EDR Sensor]
    B --> |Collects Logs| C[Telemetry & Event Data]
    C -->|Sends Data| D[Cloud/On-Prem EDR Server]
    D -->|Stores & Analyzes| E[Threat Intelligence & Detection Engine]
    E -->|Detects Suspicious Activity| F[Alerting & Response]
    F -->|Investigate & Mitigate| G[Security Team/SIEM]
    F -->|Automated Response| H[Quarantine, Kill Process, Isolate Host]

1.1 Explanation

Component	Description
EDR Sensor (Agent)	Monitors Windows events, processes, file modifications, and network traffic.
Telemetry Data	Captures detailed system behavior for analysis.
EDR Server	Aggregates logs and applies behavior-based detection.
Threat Intelligence Engine	Uses MITRE ATT&CK, machine learning, and IoCs to flag threats.
Response Actions	Alerts security teams and may trigger automated responses.

2. Windows EDR Monitoring Flow

EDR Monitoring Pipeline

sequenceDiagram
    participant User
    participant Windows OS
    participant EDR Agent
    participant EDR Server
    participant Security Team

    User->>Windows OS: Runs Process (e.g., PowerShell)
    Windows OS->>EDR Agent: Logs Execution
    EDR Agent->>EDR Server: Sends Logs & Telemetry Data
    EDR Server->>Security Team: Generates Alert if Suspicious
    Security Team->>EDR Server: Investigate & Trigger Response
    EDR Server->>EDR Agent: Take Action (Kill Process, Isolate Host)

2.1 Explanation

Every executed process is logged by the EDR agent.
The EDR server checks for malicious behavior.
If a match is found, an alert is generated.
The security team can investigate and take actions such as quarantining the endpoint.

3. Common Windows EDR Detection Techniques

EDR Detection Focus Areas

graph LR
    A[EDR Detection] --> B[Process Execution]
    A --> C[File System Changes]
    A --> D[Network Behavior]
    A --> E[Registry Modifications]
    A --> F[Credential Dumping]
    A --> G[Privilege Escalation]
    
    B -->|Example: Suspicious Parent-Child| B1[MS Word -> PowerShell]
    C -->|Example: Ransomware Behavior| C1[Mass File Encryption]
    D -->|Example: C2 Traffic| D1[Beaconing to External IP]
    E -->|Example: Persistence| E1[Run Key Modification]
    F -->|Example: LSASS Access| F1[Mimikatz Dumping]
    G -->|Example: Token Theft| G1[Process Injection]

3.1 Explanation

Detection Area	Description
Process Execution	Tracks parent-child processes for suspicious behavior.
File System Changes	Identifies ransomware, malicious file creation, or modification.
Network Behavior	Detects beaconing, unusual DNS queries, and C2 communication.
Registry Modifications	Flags persistence mechanisms used by malware.
Credential Dumping	Watches for access to `LSASS.exe` or suspicious API calls.
Privilege Escalation	Monitors token theft, UAC bypass, and process injections.

4. Windows EDR Response Workflow

EDR Incident Response Flow

graph TD
    A[Threat Detection] -->|Alert Raised| B[EDR Logs Incident]
    B -->|Severity Analysis| C[Security Team Review]
    C --> D{Automated Response?}
    D -- Yes --> E[Quarantine Endpoint]
    D -- No --> F[Manual Investigation]
    E --> G[Kill Malicious Process]
    F --> H[Deep Analysis & Forensics]
    G --> I[Remediation Actions]
    H --> I
    I --> J[Update Threat Intelligence & EDR Rules]

5. Windows EDR Bypass Techniques

Mermaid Diagram: Common EDR Evasion Techniques

graph TB
    A[EDR Bypass] --> B[Living Off The Land Binaries --  LOLBins]
    A --> C[Process Injection]
    A --> D[Memory Unhooking]
    A --> E[ETW Tampering]
    A --> F[Sysmon Evasion]
    
    B -->|Example: certutil.exe| B1[Download Payload]
    C -->|Example: Process Hollowing| C1[Inject into Legit Process]
    D -->|Example: Unhook DLLs| D1[Patch AMSI or ETW]
    E -->|Example: Patch Event Tracing| E1[Disable ETW Logging]
    F -->|Example: Modify Sysmon Config| F1[Avoid Logging]

5.1 Explanation

LOLBins: Using trusted Windows binaries to execute malicious actions.
Process Injection: Injecting payloads into legitimate processes.
Memory Unhooking: Removing EDR hooks to bypass detection.
ETW Tampering: Disabling Event Tracing to avoid logging.
Sysmon Evasion: Modifying configurations to avoid telemetry logging.

EDR Detection Area	Example Detection	Common Bypass Technique	Example Evasion
Process Execution	Suspicious Parent-Child (MS Word → PowerShell)	Process Injection	Process Hollowing, Shellcode Injection
File System Changes	Mass File Encryption (Ransomware)	Living Off The Land Binaries (LOLBins)	Using `certutil.exe` to drop payloads
Network Behavior	C2 Traffic (Beaconing to External IP)	Memory Unhooking	Patching AMSI or ETW to avoid logging
Registry Modifications	Persistence via Run Key Modification	ETW Tampering	Disabling ETW logging
Credential Dumping	LSASS Access (Mimikatz Dumping)	Sysmon Evasion	Modifying Sysmon configuration to evade logs
Privilege Escalation	Token Theft (Process Injection)	Process Injection	Injecting into a legitimate process
Download Prevention	Blocking suspicious downloads from browsers	User-Agent Spoofing, Encryption, Encoding	Renaming payloads, Using HTTPS with trusted certs