· Tristan Bui · research · 6 min read

DIY Evaluation: Assessing Endpoint Detection and Response (EDR) Products for Your Security Needs

we will introduce some key considerations and methodologies involved in evaluating the effectiveness of EDR solutions which helps you make informed decisions

we will introduce some key considerations and methodologies involved in evaluating the effectiveness of EDR solutions which helps you make informed decisions

In today’s rapidly evolving threat landscape, organizations face the daunting challenge of protecting their endpoints against sophisticated cyberattacks. Endpoint Detection and Response (EDR) solutions have emerged as a critical line of defense, providing enhanced threat detection, real-time monitoring, and rapid incident response capabilities. Finding the best EDR solution for your company is never a simple task. With so many viable solutions available, it can be not easy to sort through them and choose the one that best meets your organization’s needs.

In this article, we will introduce some key considerations and methodologies involved in evaluating the effectiveness of EDR solutions which helps you make informed decisions to choose the new one or enhance the existing one’s capabilities.

Beyond the Independent Third-party Research

First, we come over to some popular resources for product research and review such as Gartner and Forrester. These industry studies can assist us in gaining a more thorough grasp of the products based on their research methodology and criteria such as product characteristics, strategy, market presence, and customer feedback to analyze vendor capabilities and strengths. However, it’s important to remember that they should not be the sole basis for your decision because of lacking technical benchmarking and hands-on evaluations.

One of the more trusted EDR resources is MITRE Engenuity ATT&CK Evaluations (Evals) which is a process that applies a systematic methodology to capture critical context on a solution’s ability to detect or protect against known adversary behavior as defined by the ATT&CK knowledge base. However, false positive results are ignored and MITRE does not rank the results of their EDR testing.

Filling the Gap with Adversary Emulation

In addition to relying on third-party research, organizations can utilize red team emulation as an alternative approach to determine the most effective Endpoint Detection and Response (EDR) solution. We can employ advanced attack techniques and evasion strategies to test the effectiveness of security controls, including intrusion detection systems, endpoint protection solutions, and incident response procedures. By simulating real attacks, we can assess how well the defenses detect, alert, and respond to malicious activities. This process helps in identifying blind spots and areas where improvements are needed.

If you are already familiar with red team tools like Cobalt Strike or Empire, good news, you can go ahead to plan your engagement. However, in this blog, we are more focused to use the open-source tool Atomic Red Team from Red Canary.

Atomic Red Team is an open-source library of tests that security teams can use to validate detection logic, generate telemetry, or otherwise emulate adversaries’ techniques (all of which are mapped to MITRE ATT&CK). By using this we can easily replicate, test, measure, and tailor which enables a better understanding of adversaries’ TTPs and how they’re actually used in the wild, and what’s really happening under the hood in every stage of an attack.

illustration
Source: MITRE Engenuity

Test case: T1003.001 - OS Credential Dumping: LSASS Memory

We conducted atomic testing in our lab environment.

  • Windows 10 22H1 with Microsoft Defender for Endpoint (MDE) onboarded
  • Installed Atomic Red Team

Description from ATT&CK

Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.

LSASS contains valuable authentication data such as:

  • encrypted passwords
  • NT hashes
  • LM hashes
  • Kerberos tickets

Atomic Test T1003.001-3 - Dump LSASS.exe Memory using direct system calls and API unhooking

The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection. Upon successful execution, you should see the following file created C:\windows\temp\dumpert.dmp

illustration
Run Atomic Test

Detection

Without any additional protection, MDE can detect suspicious access to the LSASS service

illustration
Detected by AV and EDR
illustration
Alert on MDE Portal

Prevention

To prevent threat actors from abusing LSASS memory dumps, we can consider the following methods to harden systems on devices further.

Enable ‘Local Security Authority (LSA) protection’

Microsoft in Windows 8.1 and later has provided additional protection for the LSA to prevent untrusted processes from being able to read its memory or to inject code. Note that for new, enterprise-joined devices running Windows 11, 22H2, this protection will be enabled by default.

To activate this protection you need to set the value RunAsPPL in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA to 1

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL

Credential Guard

Microsoft Defender Credential Guard uses virtualization-based security to isolate and protect secrets (e.g., NTLM password hashes and Kerberos ticket-granting tickets) to block pass-the-hash or pass-the-ticket (PtH) attacks. This function was released for Windows 10 Enterprise, Windows Server 2016, and after.

When Credential Guard is active, the LSA process will communicate with a new component called the isolated LSA that is protected using Virtualization-based security and isn’t accessible to the rest of the operating system.

Credential Guard can be enabled through Group Policy, Microsoft Intune, or Registry.

For example, we can use Group Policy to enable it manually by navigating to this path and choosing the Enable option.

Computer Configuration/Administrative Templates/System/Device Guard

Enable ASR

Attack Surface Reduction (ASR) is available for Windows 10 and higher, Server 2012R2, Server 2016, Server 2019, and higher. Block credential stealing from the Windows local security authority subsystem blocks untrusted processes from having direct access to LSASS memory (lsass.exe).

We can enable ASR rule by using Intune or Powershell with GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

## block mode
Set-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled

Result

With ASR activated, it is not possible to dump the credentials using tools or the Task Manager.

illustration
Dump LSASS memory using Task Manager

Back to the Atomic Test, it will fail to execute.

illustration
Running Atomic Test failing

Relevant telemetry is collected in Event Viewer

illustration
Blocked rule in Event Viewer

Finally, we can query ASR rules events from the DeviceEvents table in the advanced hunting section of the Microsoft 365 Defender portal.

illustration
Query to view all events which are blocked by ASR rule

While each method individually provides a level of protection against LSASS dumping attacks, we encourage to use of the combination of these preventive measures along with tamper protection to create a layered defense approach. This strategy can provide both proactive prevention and real-time detection of EDR products against the risk of credential theft.

Conclusion

We hope that article has given you some ideas for assessing the capabilities and efficacy of your security endpoint products in real-world scenarios. We also demonstrated the walkthrough of some observations on Microsoft Defender for Endpoint by using Atomic Red Team techniques.

In closing, it is crucial to understand that the evaluation should not be limited to technical aspects alone. Engaging with vendor support, and considering the long-term viability and roadmap of the product are equally important factors to consider. Endpoint Detection and Response (EDR) solutions are integral components of a comprehensive security strategy, but they should be combined with preventive measures for maximum effectiveness. The combination can create a resilient security posture, protecting critical assets and enabling effective detection and response to sophisticated attacks.

Reference

Back to Blog

Related Posts

View All Posts »
Unleashing Direct Syscalls: Evading EDR Detection

Unleashing Direct Syscalls: Evading EDR Detection

Endpoint security remains a pressing concern for organizations, as they increasingly use antivirus (AV), endpoint protection (EPP), and endpoint detection and response (EDR) systems to protect against malware execution.