EDR & XDR#

Reference of Endpoint Detection & Response (EDR) and eXtended Detection & Response (XDR) products. Covers detection scope, agent telemetry, MITRE Engenuity ATT&CK Evaluations standing, and the major technical features (eBPF, ETW, Sysmon-equivalent, kernel telemetry).

For SIEM ingest, see SIEM & SOAR. For ATT&CK mapping, see MITRE ATT&CK. For forensic add-ons, see Digital Forensics.

Major EDR / XDR vendors#

Vendor

Notes

CrowdStrike Falcon

Lightweight agent; eBPF on Linux; ETW on Windows; LogScale (was Humio) for log search; Falcon NG-SIEM; XDR.

SentinelOne Singularity

Agent-based AI prevention + behavioral; Singularity Data Lake; Purple AI; Storyline visualization.

Microsoft Defender for Endpoint

Windows-native + Linux + macOS + Android + iOS; ETW + AMSI; deep Defender XDR (Sentinel + 365 + Cloud + Identity).

Palo Alto Cortex XDR

XSIAM = next-gen SIEM + XDR; Traps-derived agent.

Trend Vision One

Trend Micro XDR; Apex One agent; cloud + workload.

Trellix XDR

McAfee + FireEye merged; legacy enterprise.

Sophos Intercept X

Synchronised Security; CryptoGuard.

Bitdefender GravityZ one

Endpoint + XDR; popular EU.

ESET Inspect

PROTECT XDR; EU.

Kaspersky EDR

KATA + EDR; Russian-origin (banned in many gov environments).

Symantec / Broadcom

SES Complete; legacy.

F-Secure / WithSecure

Elements EDR.

Webroot

OpenText Cyber.

Cybereason

Behavioral analytics; cyber-AI focus.

VMware Carbon Black

Cb Defense / Response; bought by VMware then divested.

Tanium

Linear-chain visibility + endpoint mgmt.

Elastic Security

Elastic Endpoint (LimaCharlie SDK lineage).

LimaCharlie

“EDR-as-API”; build-your-own.

Velociraptor

OSS DFIR + endpoint visibility (Mike Cohen).

Wazuh

OSS HIDS.

osquery

OSS endpoint instrumentation (SQL).

Fleet

osquery-as-a-service.

Kolide

Slack-based osquery.

Uptycs

osquery-based XDR.

Telemetry layers#

Source

Notes

Windows ETW

Event Tracing for Windows; richest Windows telemetry; agents subscribe to Microsoft-Windows-Threat-Intelligence, -Kernel-Process, -Sysmon, etc.

Sysmon

Microsoft Sysinternals; free + powerful; community config SwiftOnSecurity / Olaf Hartong.

AMSI

Antimalware Scan Interface; PowerShell + JScript inline scanning.

WMI / WinRM

Lateral telemetry.

Windows Event Log

Security / System / Application; PowerShell logging via ScriptBlock.

Linux eBPF

cilium / tetragon / falco / pixie; the modern endpoint sensor.

Linux auditd

syscall auditing.

Linux ELF + ptrace

Tracing.

macOS Endpoint Securi

ty Framework Apple’s EDR API; replaces kext.

macOS unified logs

Apple system log.

iOS / Android MDM

Limited EDR; mostly MDM-based posture.

Cloud audit logs

AWS CloudTrail, GCP Audit, Azure Activity, K8s audit.

Cloud workload

Falco, Tetragon, AWS GuardDuty, Defender for Cloud.

Container

CRI events, image registry pulls.

ATT&CK Evaluations#

MITRE Engenuity runs annual round-robin evaluations of EDR products against simulated adversary scenarios (APT3, APT29, Carbanak/FIN7, Wizard Spider/Sandworm, Turla, ENTERPRISE, 2024 round = DPRK + CL0P). Reports cover detection (Telemetry / General / Tactic / Technique / Analytic) and protection (blocked at execution).

Vendors that consistently top: CrowdStrike, SentinelOne, Microsoft Defender, Palo Alto Cortex, Trend Vision One, Cybereason, Bitdefender, Elastic Security.

Common detection signals#

Signal

Examples

Process create

suspicious child of MS Office (T1566), LOLBin chains (rundll32.exe → Internet, mshta → script).

File write

ransomware-like patterns (mass renames, .encrypted ext).

Registry

autorun keys (Run, RunOnce), svchost services.

Network

C2 to known TI; beaconing; long-lived encrypted streams.

Auth

Kerberoasting, LSASS access, NTDS.dit dump (DCSync).

Inj. / hollowing

reflective DLL, process hollowing, doppelgänging.

Cred theft

mimikatz-class (LSASS access, secretsdump).

Persistence

scheduled tasks, services, WMI subscriptions, BITS.

Lateral

psexec / wmiexec / smbexec / WinRM / RDP.

Defence evasion

AMSI bypass (UD-AmsiContext, CLR hooks).

Bypass / EDR-evasion (red team)#

Technique

Notes

Direct syscalls

SysWhispers / GetSyscallStub / InlineWhispers; bypass user-mode hooks.

Indirect syscalls

Hell’s Gate / Halo’s Gate / Tartarus’ Gate.

ETW patching

Patch ntdll!EtwEventWrite to silence telemetry.

AMSI bypass

patch AmsiScanBuffer; InvokeAtomicTest.

PPL bypass

Mimikatz !! + PPLDump / PPLBlade / PPLFault.

DLL unhooking

restore .text section to disk image of ntdll / kernel32.

Process injection

kernel callouts, NtMapViewOfSection, APC, KernelCallbackTable, EarlyCascade injection.

Module stomping

hijack signed DLL.

Sleep mask

Ekko / FOLIAGE / Hellsgate sleep obfuscation.

BYOVD

bring-your-own-vulnerable-driver (RTCore64, ZemanaAntiMalware).

Living-off-the-Land

PowerShell, certutil, bitsadmin, schtasks; LOLBAS.

HVNC

alternate desktop hidden VNC.

Operator notes#

  • Tamper protection, enable; otherwise admin-on-host trivially disables the agent.

  • Sysmon + good config + WEC + SIEM is a credible free-tier replacement for many EDRs in resource-poor environments.

  • eBPF on Linux has displaced kernel-module sensors; Falco / Tetragon / Pixie / Sysdig are the references.

  • Mac coverage is uneven; Endpoint Security Framework is good but limits exist.

  • Mobile EDR is essentially MDM + Defender for Endpoint Mobile; iOS visibility is intentionally limited by Apple.

  • Threat hunting > prevention, assume compromise; routinely hunt for unattributed activity.

  • Don’t disable native Windows logging, ETW + Security Event Log + PowerShell ScriptBlock + AMSI are still the highest-fidelity sources.

  • EDR sprawl, many orgs have 2-3 agents on the same endpoint (Defender + CrowdStrike + DLP); kernel-mode conflicts cause crashes (CrowdStrike July 2024 incident).

  • Egress for telemetry, agents need outbound to vendor cloud; air-gapped environments need on-prem appliances.

References#