Create EDR & AV apps

Question

Create EDR & AV apps

frikky opened this issue 4 years ago · comments

Apps in this category will typically be related to Endpoint Protection or Antivirus. This means they in most cases have an agent on each server, which reaches out to some endpoint where the alerts are stored. They may also just run locally (AV).

Antivirus: It's in the name. The point is to stop malicious software of any kind from running on your computer. This was typically based on banning of Hashes and very specific rules, but the ones we use today are further extended by AI, meaning we don't always know why exactly something happened. These generically create alerts somewhere that we can pick up.

Most used: Windows Defender. This can send alerts to SCCM or https://protection.office.com

Endpoint Protection (EDR/XDR):
It's kind of in the name. "Endpoint" means any kind of machine you have, whether it's a linux server, windows 10 laptop or a phone. These systems are typically built to handle millions of events by having the machines transfer a lot of the information to some cloud provider, which then processes the data, and performs some action. The data sent can be of network connections, processes, changed files, registry updates, and literally everything else that changes on a machine (what's sent differs by provider). This data in turn means you have a list of hostnames, an alert/ticketing system, a search mechanism, a way to interact with the host in realtime and much more. The hard thing about EDR is that you can do almost anything.

Common features:

Ticketing system (list/create/edit alert)
Search
Find hostname
Ban hash/ip/url/domain
Isolate host
Execute script on host
Create rule

weslambert · Answer 1 · Thu Oct 15 2020 10:55:12 GMT+0800 (China Standard Time)

Will have PR for Velociraptor in soon.

Frikky · Answer 2 · Tue Dec 12 2023 19:43:58 GMT+0800 (China Standard Time)

Add all from here: https://github.com/tsale/EDR-Telemetry