EDR & XDR#
Reference of Endpoint Detection & Response (EDR) and eXtended Detection & Response (XDR) products. Covers detection scope, agent telemetry, MITRE Engenuity ATT&CK Evaluations standing, and the major technical features (eBPF, ETW, Sysmon-equivalent, kernel telemetry).
For SIEM ingest, see SIEM & SOAR. For ATT&CK mapping, see MITRE ATT&CK. For forensic add-ons, see Digital Forensics.
Major EDR / XDR vendors#
Vendor |
Notes |
|---|---|
CrowdStrike Falcon |
Lightweight agent; eBPF on Linux; ETW on Windows; LogScale (was Humio) for log search; Falcon NG-SIEM; XDR. |
SentinelOne Singularity |
Agent-based AI prevention + behavioral; Singularity Data Lake; Purple AI; Storyline visualization. |
Microsoft Defender for Endpoint |
Windows-native + Linux + macOS + Android + iOS; ETW + AMSI; deep Defender XDR (Sentinel + 365 + Cloud + Identity). |
Palo Alto Cortex XDR |
XSIAM = next-gen SIEM + XDR; Traps-derived agent. |
Trend Vision One |
Trend Micro XDR; Apex One agent; cloud + workload. |
Trellix XDR |
McAfee + FireEye merged; legacy enterprise. |
Sophos Intercept X |
Synchronised Security; CryptoGuard. |
Bitdefender GravityZ one |
Endpoint + XDR; popular EU. |
ESET Inspect |
PROTECT XDR; EU. |
Kaspersky EDR |
KATA + EDR; Russian-origin (banned in many gov environments). |
Symantec / Broadcom |
SES Complete; legacy. |
F-Secure / WithSecure |
Elements EDR. |
Webroot |
OpenText Cyber. |
Cybereason |
Behavioral analytics; cyber-AI focus. |
VMware Carbon Black |
Cb Defense / Response; bought by VMware then divested. |
Tanium |
Linear-chain visibility + endpoint mgmt. |
Elastic Security |
Elastic Endpoint (LimaCharlie SDK lineage). |
LimaCharlie |
“EDR-as-API”; build-your-own. |
Velociraptor |
OSS DFIR + endpoint visibility (Mike Cohen). |
Wazuh |
OSS HIDS. |
osquery |
OSS endpoint instrumentation (SQL). |
Fleet |
osquery-as-a-service. |
Kolide |
Slack-based osquery. |
Uptycs |
osquery-based XDR. |
Telemetry layers#
Source |
Notes |
|---|---|
Windows ETW |
Event Tracing for Windows; richest Windows telemetry; agents subscribe to Microsoft-Windows-Threat-Intelligence, -Kernel-Process, -Sysmon, etc. |
Sysmon |
Microsoft Sysinternals; free + powerful; community config SwiftOnSecurity / Olaf Hartong. |
AMSI |
Antimalware Scan Interface; PowerShell + JScript inline scanning. |
WMI / WinRM |
Lateral telemetry. |
Windows Event Log |
Security / System / Application; PowerShell logging via ScriptBlock. |
Linux eBPF |
cilium / tetragon / falco / pixie; the modern endpoint sensor. |
Linux auditd |
syscall auditing. |
Linux ELF + ptrace |
Tracing. |
macOS Endpoint Securi |
ty Framework Apple’s EDR API; replaces kext. |
macOS unified logs |
Apple system log. |
iOS / Android MDM |
Limited EDR; mostly MDM-based posture. |
Cloud audit logs |
AWS CloudTrail, GCP Audit, Azure Activity, K8s audit. |
Cloud workload |
Falco, Tetragon, AWS GuardDuty, Defender for Cloud. |
Container |
CRI events, image registry pulls. |
ATT&CK Evaluations#
MITRE Engenuity runs annual round-robin evaluations of EDR products against simulated adversary scenarios (APT3, APT29, Carbanak/FIN7, Wizard Spider/Sandworm, Turla, ENTERPRISE, 2024 round = DPRK + CL0P). Reports cover detection (Telemetry / General / Tactic / Technique / Analytic) and protection (blocked at execution).
Vendors that consistently top: CrowdStrike, SentinelOne, Microsoft Defender, Palo Alto Cortex, Trend Vision One, Cybereason, Bitdefender, Elastic Security.
Common detection signals#
Signal |
Examples |
|---|---|
Process create |
suspicious child of MS Office (T1566), LOLBin chains (rundll32.exe → Internet, mshta → script). |
File write |
ransomware-like patterns (mass renames, .encrypted ext). |
Registry |
autorun keys (Run, RunOnce), svchost services. |
Network |
C2 to known TI; beaconing; long-lived encrypted streams. |
Auth |
Kerberoasting, LSASS access, NTDS.dit dump (DCSync). |
Inj. / hollowing |
reflective DLL, process hollowing, doppelgänging. |
Cred theft |
mimikatz-class (LSASS access, secretsdump). |
Persistence |
scheduled tasks, services, WMI subscriptions, BITS. |
Lateral |
psexec / wmiexec / smbexec / WinRM / RDP. |
Defence evasion |
AMSI bypass (UD-AmsiContext, CLR hooks). |
Bypass / EDR-evasion (red team)#
Technique |
Notes |
|---|---|
Direct syscalls |
SysWhispers / GetSyscallStub / InlineWhispers; bypass user-mode hooks. |
Indirect syscalls |
Hell’s Gate / Halo’s Gate / Tartarus’ Gate. |
ETW patching |
Patch ntdll!EtwEventWrite to silence telemetry. |
AMSI bypass |
patch AmsiScanBuffer; InvokeAtomicTest. |
PPL bypass |
Mimikatz !! + PPLDump / PPLBlade / PPLFault. |
DLL unhooking |
restore .text section to disk image of ntdll / kernel32. |
Process injection |
kernel callouts, NtMapViewOfSection, APC, KernelCallbackTable, EarlyCascade injection. |
Module stomping |
hijack signed DLL. |
Sleep mask |
Ekko / FOLIAGE / Hellsgate sleep obfuscation. |
BYOVD |
bring-your-own-vulnerable-driver (RTCore64, ZemanaAntiMalware). |
Living-off-the-Land |
PowerShell, certutil, bitsadmin, schtasks; LOLBAS. |
HVNC |
alternate desktop hidden VNC. |
Operator notes#
Tamper protection, enable; otherwise admin-on-host trivially disables the agent.
Sysmon + good config + WEC + SIEM is a credible free-tier replacement for many EDRs in resource-poor environments.
eBPF on Linux has displaced kernel-module sensors; Falco / Tetragon / Pixie / Sysdig are the references.
Mac coverage is uneven; Endpoint Security Framework is good but limits exist.
Mobile EDR is essentially MDM + Defender for Endpoint Mobile; iOS visibility is intentionally limited by Apple.
Threat hunting > prevention, assume compromise; routinely hunt for unattributed activity.
Don’t disable native Windows logging, ETW + Security Event Log + PowerShell ScriptBlock + AMSI are still the highest-fidelity sources.
EDR sprawl, many orgs have 2-3 agents on the same endpoint (Defender + CrowdStrike + DLP); kernel-mode conflicts cause crashes (CrowdStrike July 2024 incident).
Egress for telemetry, agents need outbound to vendor cloud; air-gapped environments need on-prem appliances.