Part II

EDR in SOC for

Threat Hunting

By,
Asif khan,
Sr. Cyber/Digital Forensics Expert,
HTTPS://WWW.LINKEDIN.COM/
IN/ASIF-KHAN-B5379A126/
Index

1. Introduction
2. Core Capabilities of EDR
3. Technical Workflow for Threat Hunting with EDR
4. Deep Dive into EDR Features
5. EDR in Action: Threat Hunting Scenarios
6. Technical Examples of EDR in Threat Hunting
• Fileless Malware Detection
o Detecting Encoded PowerShell Scripts
o Process Termination and Endpoint Isolation
• Suspicious Network Connections
o Identifying Non-Standard Ports
o Blocking Malicious Traffic
• Ransomware Detection
o Monitoring File Modifications
o Termination of Encryption Processes
• Lateral Movement Detection
o Identifying PsExec and WMI Usage
o Blocking Unauthorized Remote Execution
• Credential Dumping Detection
o Monitoring Access to lsass.exe
o Blocking Memory Dump Attempts
• Persistence Mechanisms
o Detecting New Scheduled Tasks or Autorun Entries
o Disabling Unauthorized Persistence Mechanisms
• Abnormal User Behavior
 o Monitoring Odd Hour Logins
o Locking Suspicious User Accounts
• DLL Injection Detection
o Monitoring Unusual DLLs in System Processes
o Unloading Malicious DLLs
• Detecting Data Exfiltration
o Monitoring High-Volume Uploads
o Blocking Non-Corporate Domains
• Insider Threat Monitoring
o Tracking Unauthorized File Access
o Investigating Suspicious User Behavior
7. Challenges in EDR for Threat Hunting
8. Conclusion
Endpoint Detection and Response (EDR) in SOC for Threat
Hunting: Technical Insights
Introduction
Endpoint Detection and Response (EDR) is a cornerstone of modern Security Operations Centers
(SOC), enabling active threat hunting and incident response. By providing detailed endpoint
telemetry and advanced analytics, EDR empowers threat hunters and SOC analysts to detect,
investigate, and respond to advanced persistent threats (APTs) and other sophisticated attacks.

Core Capabilities of EDR for Threat Hunting

1. Continuous Endpoint Monitoring
o EDR solutions collect and analyze data from endpoints in real time.
o Key telemetry includes:
▪ Process creation and termination events
▪ File modifications and access
▪ Registry changes (Windows)
▪ Network connections and DNS queries
▪ User login and privilege escalation events
2. Behavioral Analytics
o Uses machine learning (ML) and behavioral analysis to detect anomalies.
o Identifies tactics, techniques, and procedures (TTPs) aligned with frameworks
like MITRE ATT&CK.
3. Threat Intelligence Integration
o Correlates endpoint activity with threat intelligence feeds.
o Automates the detection of Indicators of Compromise (IOCs), such as:
▪ Malicious hashes
▪ Known C2 (Command and Control) IPs/domains
▪ Suspicious binaries or scripts
4. Automated and Manual Threat Hunting
 o Threat hunters can query data using EDR-specific query languages (e.g., Splunk
SPL, Elastic Query, or vendor-provided syntax).
o Supports hypothesis-driven investigations based on observed patterns or emerging
threat trends.
5. Response and Remediation
o EDR facilitates rapid response through:
▪ Quarantine of affected endpoints
▪ Termination of malicious processes
▪ Deletion of suspicious files
▪ Policy enforcement to block specific behaviors

Technical Workflow for Threat Hunting Using EDR

1. Data Collection
o Telemetry Capture: Raw data is continuously ingested from endpoints.
o Agent-Based Architecture: Lightweight agents installed on endpoints send data
to a centralized EDR platform.
2. Proactive Querying
o Custom Queries: Example for process execution anomaly:
>> SELECT * FROM processes WHERE parent_process_name = 'powershell.exe' AND
command_line LIKE '%base64%'
o IOC Sweeping: Match endpoint activity against threat intelligence.
3. Detection Use Cases
o Process Injection Detection:
▪ Monitor suspicious processes like explorer.exe spawning unexpected
processes.
o Lateral Movement Indicators:
▪ Look for tools like PsExec, WMI, or RDP connections.
o Persistence Mechanisms:
▪ Monitor for autorun registry changes or new scheduled tasks.
4. Anomaly Analysis
 o Analyze:
▪ Rare or new process executions
▪ Fileless malware indicators (e.g., PowerShell scripts run from memory)
▪ Suspicious outbound network traffic to known C2 servers.
5. Correlation and Enrichment
o Leverage integrations with SIEM tools for:
▪ Timeline correlation across network, endpoint, and cloud events.
▪ Contextual enrichment (user details, device information).
6. Incident Response
o EDR-triggered playbooks automate response:
▪ Alert escalation to SOC.
▪ Isolation of compromised endpoints.
▪ Artifact collection (memory dumps, forensic snapshots).

Deep Dive into Key EDR Features

1. Fileless Attack Detection
• Example: Tracking PowerShell scripts using Script Block Logging.
o Command to enable logging:
powershell
>>Set-ExecutionPolicy RemoteSigned
o EDR detects suspicious script execution:
▪ Unusual obfuscation (Invoke-Mimikatz)
▪ Encoded payloads (powershell.exe -EncodedCommand).
2. Advanced Threat Hunting Queries
• Suspicious Process Trees:
sql
>>SELECT * FROM processes
WHERE parent_process_name IN ('cmd.exe', 'powershell.exe')
AND command_line LIKE '%/c%'
• Credential Dumping:
sql
>> SELECT * FROM memory_access_events
WHERE accessed_process_name = 'lsass.exe'
• Abnormal Network Connections:
sql
>> SELECT * FROM network_connections
WHERE destination_port = 4444 OR protocol = 'HTTP/2'
3. Integration with Threat Frameworks
• Mapping activities to MITRE ATT&CK:
o T1566: Phishing detection by monitoring email-related processes.
o T1059: Script-based attacks via PowerShell, Bash.
o T1218: System binary misuse (rundll32.exe or regsvr32.exe).

EDR in Action: Threat Hunting Scenarios

1. Scenario: Detecting Ransomware
• Indicator: Rapid file modifications with specific extensions (e.g., .encrypted).
• EDR Actions:
o Monitor high entropy file writes.
o Trigger alerts for processes writing to user directories rapidly.
• Threat Hunting Query:
sql
>>SELECT process_name, file_path, entropy
FROM file_events
WHERE file_extension = '.encrypted'

2. Scenario: Lateral Movement Detection

• Indicator: Use of wmi.exe or psexec.exe.
 • EDR Actions:
o Capture network traffic and correlate it with user behavior analytics.
• Query Example:
sql
SELECT * FROM processes
WHERE command_line LIKE '%psexec%' OR command_line LIKE '%wmi%'
3. Scenario: Insider Threat Monitoring
• Indicator: Access to sensitive files outside working hours.
• EDR Actions:
o Cross-reference endpoint activity with DLP solutions.
o Detect data exfiltration attempts using unsanctioned applications (e.g., Dropbox,
FTP).

Challenges in EDR Threat Hunting

1. High Volume of Data:
o Requires effective filtering and aggregation to avoid alert fatigue.
2. False Positives:
o Fine-tuning behavioral baselines and whitelisting known processes.
3. Sophisticated Threats:
o Advanced evasion techniques like process hollowing and DLL injection can
bypass weak EDR configurations.

Technical Examples of EDR in Threat Hunting

Here are real-world scenarios and queries using EDR tools for proactive threat hunting. These
examples leverage endpoint telemetry to detect potential threats and support investigation.

1. Fileless Malware Detection

Scenario: Detect PowerShell-based fileless malware execution.
Technical Example:
 • Indicator: Processes invoking PowerShell with suspicious commands like encoded
scripts.
• Hunting Query:
sql
>>SELECT * FROM processes
WHERE process_name = 'powershell.exe'
AND command_line LIKE '%-EncodedCommand%'
• Detection Outcome:
o Flags processes with encoded or obfuscated scripts.
o Example: powershell.exe -EncodedCommand aGVsbG8gd29ybGQ=
EDR Response:
• Kill the powershell.exe process.
• Isolate the endpoint for further analysis.

2. Suspicious Network Connections

Scenario: Detect command-and-control (C2) communication attempts.
Technical Example:
• Indicator: Outbound connections to uncommon ports or suspicious IPs.
• Hunting Query:
sql
>>SELECT * FROM network_connections
WHERE destination_port NOT IN (80, 443)
AND destination_ip NOT LIKE '192.168.%'
• Detection Outcome:
o Identifies connections to remote IPs using non-standard ports like 4444
(commonly used in reverse shells).
EDR Response:
• Block outbound traffic to the flagged IP.
• Trigger automated alerts in SIEM.
 3. Ransomware Detection
Scenario: Detect high-entropy file modifications indicative of ransomware encryption.
Technical Example:
• Indicator: Sudden changes in file extensions across user directories.
• Hunting Query:
sql
>>SELECT process_name, file_name, entropy
FROM file_events
WHERE entropy > 7.5
AND file_extension IN ('.encrypted', '.locked')
• Detection Outcome:
o Flags processes encrypting files at scale.
o Example: process_name = ransomware.exe, file_name =
document.docx.encrypted
EDR Response:
• Terminate the offending process.
• Restore encrypted files from snapshots (if available).

4. Lateral Movement Detection

Scenario: Detect usage of remote execution tools like PsExec or WMI.
Technical Example:
• Indicator: Processes leveraging PsExec or WMI for remote execution.
• Hunting Query:
sql
>>SELECT * FROM processes
WHERE process_name IN ('psexec.exe', 'wmic.exe')
AND parent_process_name NOT IN ('services.exe', 'wininit.exe')
 • Detection Outcome:
o Flags unauthorized use of psexec.exe.
o Example: user = "john_doe", host = 192.168.1.50
EDR Response:
• Quarantine affected endpoints.
• Investigate account activity to validate legitimacy.

5. Credential Dumping Detection

Scenario: Detect credential dumping attempts targeting lsass.exe.
Technical Example:
• Indicator: Memory access to lsass.exe by suspicious processes.
• Hunting Query:
sql
>>SELECT * FROM memory_access_events
WHERE accessed_process_name = 'lsass.exe'
AND accessing_process_name NOT IN ('taskmgr.exe', 'procdump.exe')
• Detection Outcome:
o Flags tools like Mimikatz.
o Example: accessing_process_name = mimikatz.exe
EDR Response:
• Block the process and alert the SOC team.
• Capture forensic memory dump for deeper analysis.

6. Persistence Mechanisms
Scenario: Detect creation of new scheduled tasks or autorun entries.
Technical Example:
• Indicator: New scheduled tasks added by unauthorized users.
• Hunting Query:
sql
>>SELECT * FROM scheduled_tasks
WHERE task_author NOT IN ('SYSTEM', 'Administrator')
AND task_name NOT LIKE 'Microsoft%'
• Detection Outcome:
o Flags unauthorized tasks (e.g., task_name = 'malicious_update').
o Example: Command to persist malware: schtasks /create /tn MaliciousTask /tr
backdoor.exe /sc onlogon
EDR Response:
• Disable the suspicious task.
• Audit user activity to identify potential insider threats.

7. Abnormal User Behavior

Scenario: Detect abnormal login patterns, such as logins outside business hours.
Technical Example:
• Indicator: User activity on endpoints during odd hours.
• Hunting Query:
sql
>>SELECT user_name, login_time
FROM user_login_events
WHERE login_time NOT BETWEEN '09:00:00' AND '18:00:00'
• Detection Outcome:
o Flags suspicious logins.
o Example: user_name = "finance_admin", login_time = "02:34:00"
EDR Response:
• Lock the account until the activity is validated.
• Investigate logs for potential compromise.
 8. DLL Injection Detection
Scenario: Detect malicious DLL injection into legitimate processes.
Technical Example:
• Indicator: Unusual DLLs loaded into critical system processes.
• Hunting Query:
sql
>>SELECT * FROM loaded_modules
WHERE process_name = 'explorer.exe'
AND module_path NOT LIKE 'C:\\Windows\\%'
• Detection Outcome:
o Flags injected DLLs (e.g., module_path = C:\\Temp\\malicious.dll).
EDR Response:
• Unload the malicious DLL.
• Investigate the source of the DLL to identify the initial attack vector.

9. Detecting Data Exfiltration

Scenario: Monitor for unauthorized use of cloud storage services like Dropbox or FTP.
Technical Example:
• Indicator: High-volume uploads to non-corporate domains.
• Hunting Query:
sql
>>SELECT * FROM network_connections
WHERE protocol = 'HTTPS'
AND destination_domain NOT LIKE '%.company.com'
AND bytes_sent > 1000000
• Detection Outcome:
o Flags data exfiltration attempts.
o Example: destination_domain = dropboxusercontent.com
EDR Response:
• Block the endpoint’s network access.
• Investigate uploaded data for sensitivity.

10. Insider Threat Example

Scenario: Track employees accessing critical files outside their job roles.
Technical Example:
• Indicator: File access by unauthorized users.
• Hunting Query:
sql
>>SELECT user_name, file_path, access_time
FROM file_access_events
WHERE file_path LIKE 'C:\\Finance\\%'
AND user_name NOT IN ('finance_admin', 'accountant')
• Detection Outcome:
o Flags unauthorized access.
o Example: user_name = "temp_user", file_path = "C:\\Finance\\Payroll.xlsx"
EDR Response:
• Suspend the user account.
• Trigger an alert to HR and the SOC.

Conclusion
These technical examples demonstrate how EDR facilitates proactive threat hunting by providing
granular endpoint telemetry, flexible querying capabilities, and automated responses. Threat
hunters and SOC analysts must regularly update detection logic to counter evolving threats
effectively.