Building EDR knowledge
Author: Stefan Waldvogel
If you want a blue role in Cybersecurity, you need knowledge about some tools, and one topic is EDR.
EDR ( Endpoint Detection and Response) monitors an endpoint and can detect suspicious system behavior. An endpoint could be a PC, a laptop, or something else like a mobile device.
Many times, it has an agent/client and a server application. Most larger companies have an EDR running.
Hands-on
Just reading something does not help you. It would be best if you had hands-on. I give you two ways to learn it hands-on. Follow this guide, and you will set up a LimaCharlie EDR or understand it with John Strand (SOC Core Skills). Ideally, you do both.
The home lab path
Take John Strand's pay-as-you-can courses, download the ADHD VM and learn how to use the following two EDR tools:
The cloud-based path with LimaCharlie
For this chapter, I use a less known cloud-based EDR/XDR solution called LimaCharlie (https://www.limacharlie.io/) because it has two free sensors, and companies use this EDR/XDR in the actual world. I picked this EDR because my target company uses a modified version.
The start
Create an account at https://app.limacharlie.io/signup and set up an organization. With the free version, you can set up two organizations, and each of them has two free sensors. Creating an organization is simple:
EDR ( Endpoint Detection and Response) monitors an endpoint and can detect suspicious system behavior. An endpoint could be a PC, a laptop, or something else like a mobile device.
Many times, it has an agent/client and a server application. Most larger companies have an EDR running.
Hands-on
Just reading something does not help you. It would be best if you had hands-on. I give you two ways to learn it hands-on. Follow this guide, and you will set up a LimaCharlie EDR or understand it with John Strand (SOC Core Skills). Ideally, you do both.
The home lab path
Take John Strand's pay-as-you-can courses, download the ADHD VM and learn how to use the following two EDR tools:
- Bluespawn (free, open-source)
- Velociraptor (free and free training is available)
The cloud-based path with LimaCharlie
For this chapter, I use a less known cloud-based EDR/XDR solution called LimaCharlie (https://www.limacharlie.io/) because it has two free sensors, and companies use this EDR/XDR in the actual world. I picked this EDR because my target company uses a modified version.
The start
Create an account at https://app.limacharlie.io/signup and set up an organization. With the free version, you can set up two organizations, and each of them has two free sensors. Creating an organization is simple:
Choose a data center in your area, provide a name, and click on "Create Organization":
Creating an organization needs a bit of time, and later you see this:
If you click on your organization, you can access all possible commands and tools.
The first thing I want to do is installing a sensor for a Windows machine to interact with it. First, we need a key because LimaCharlie needs to encrypt the data and know the connect details. We click "Install Sensors" and "Create Installation Key" for this task.
The first thing I want to do is installing a sensor for a Windows machine to interact with it. First, we need a key because LimaCharlie needs to encrypt the data and know the connect details. We click "Install Sensors" and "Create Installation Key" for this task.
|
After that, we can specify tags, we need a name and click on "Create".
|
The key looks like this:
Later, we need the Sensor Key value.
Now we have a key, and we need to install the sensor on the target machine. I picked John Strand's ADHD VM because I can attack my victim later, and I do not need a separate Kali Linux. You can choose your machine or a different VM.
In my case, I use PowerShell to download the client, but you can use the GUI, too. The PowerShell command for Windows 64bit is:
powershell.exe Invoke-WebRequest "https://app.limacharlie.io/get/windows/64" -Outfile "C:\installer.exe"
Now we have a key, and we need to install the sensor on the target machine. I picked John Strand's ADHD VM because I can attack my victim later, and I do not need a separate Kali Linux. You can choose your machine or a different VM.
In my case, I use PowerShell to download the client, but you can use the GUI, too. The PowerShell command for Windows 64bit is:
powershell.exe Invoke-WebRequest "https://app.limacharlie.io/get/windows/64" -Outfile "C:\installer.exe"
If you get an access error... run it as administrator.
We downloaded the client and can run it with:
installer.exe -i YOUR_INSTALLATION_KEY
Hint: this is not a PowerShell command. Use a terminal/command prompt with administrator rights.
We downloaded the client and can run it with:
installer.exe -i YOUR_INSTALLATION_KEY
Hint: this is not a PowerShell command. Use a terminal/command prompt with administrator rights.
Sometimes you see minor errors, but here everything worked. You can control the sensor in the "Sensor" area.
The "Sensor" tab shows all sensors. Checking the kernel takes a while, and therefore, you see the red symbol. More important is the right area. You can use "Live View", "Explore" and "Isolate."
"Live View" gives you remote access to the machine. I encourage you to play with some options.
"Live View" gives you remote access to the machine. I encourage you to play with some options.
Just for fun, let us talk about "Processes." The main process is System with the PID 4. If you see a different System with a different PID, you know something is wrong.
The orange Wi-Fi indicates a connection, and sometimes you have to dig deeper into it. Later we attack the machine, and we will see some suspicious activities.
The "Explore" button gives us a deeper insight into processes, and it is helpful if you want to understand the bigger picture. Sometimes you know a particular process is malicious, and you want to see more details. The nice thing about this view is, it shows history.
The orange Wi-Fi indicates a connection, and sometimes you have to dig deeper into it. Later we attack the machine, and we will see some suspicious activities.
The "Explore" button gives us a deeper insight into processes, and it is helpful if you want to understand the bigger picture. Sometimes you know a particular process is malicious, and you want to see more details. The nice thing about this view is, it shows history.
What is our status, or what can we do right now?
At the moment, we have access to the machine, and we can send commands, watch processes, files, and much more. We have advanced remote access, but one thing is missing.
We can see malicious behavior, and if we know, we can try to understand what an attacker is doing. An EDR is much more than that, but we do not have the "intelligence" installed right now.
We do this in EDR part 2
At the moment, we have access to the machine, and we can send commands, watch processes, files, and much more. We have advanced remote access, but one thing is missing.
We can see malicious behavior, and if we know, we can try to understand what an attacker is doing. An EDR is much more than that, but we do not have the "intelligence" installed right now.
We do this in EDR part 2
© 2021. This work is licensed under a CC BY-SA 4.0 license