Loopus Labs
LOOPUSLABS
Loopus

Pro Content

This lesson requires Loopus Pro access. Upgrade to unlock all courses, labs, and challenges.

← Back to course
Endpoint SecurityEDR Fundamentals

EDR Detection Capabilities

30 min
theory
+40 XP

Learning Objectives

  • Investigate alerts using EDR platforms
  • Analyze process trees and behavior chains
  • Extract indicators from endpoint telemetry

EDR Alert Investigation

EDR platforms generate rich telemetry about endpoint activity. Effective investigation leverages this data to understand what happened, determine impact, and guide response.

Understanding EDR Alerts

EDR alerts trigger on suspicious behaviors rather than just signatures. A process spawning PowerShell is not inherently malicious, but Word spawning PowerShell downloading content might be.

Alerts include context: the process that triggered detection, its parent, command line arguments, network connections, file modifications, and registry changes. This context enables investigation without immediately pivoting to the endpoint.

Process Tree Analysis

Parent-child relationships reveal execution chains. Start from the alerting process and trace upward—what launched it? What launched that? Continue until you reach a user session or system process.

Suspicious patterns include:

  • Office applications spawning scripting engines

  • Services.exe or svchost.exe with unexpected children

  • cmd.exe or powershell.exe launched from unusual parents

  • Long chains of interpreters (cmd spawning PowerShell spawning wscript)


Behavioral Analysis

Beyond process relationships, examine behaviors:

Network connections - What did the process connect to? Extract destination IPs and domains. Check threat intelligence.

File operations - What files were created, modified, or deleted? Look for staging in temp directories, drops in startup locations, or modification of existing binaries.

Registry modifications - Persistence in Run keys, scheduled tasks, or services.

Credential access - LSASS access, SAM queries, or Kerberos ticket requests.

Timeline Reconstruction

EDR platforms often provide timeline views showing all activity on an endpoint over time. Use these to:

  • Identify when compromise began

  • Track attacker progression

  • Find additional malicious activity beyond the initial alert

  • Determine what data may have been accessed


Extracting Indicators

Investigation reveals IOCs for broader hunting:

  • File hashes from malware samples

  • Command line patterns for detection rules

  • Network indicators (IPs, domains, URLs)

  • Registry keys used for persistence


Document findings and share with detection engineering for improved coverage.

Answer the Questions0 / 4 completed

📚 KnowledgeQuestion 1

What EDR detection methods exist?

Format: *********(9 chars)
Exact match required
⌨️ Hands-OnQuestion 2

What maps behaviors to known attacks?

Format: *****(5 chars)
Exact match required
📚 KnowledgeQuestion 3

How do you tune EDR alerts?

Format: **********(10 chars)
Exact match required
⌨️ Hands-OnQuestion 4

What term describes allowed software?

Format: *********(9 chars)
Exact match required
Answer all questions correctly to unlock the next lesson
Previous
Answer all questions to continue