Lifting the veil, a look at MDE under the hood

Companies often put a high level of trust on their tools to support them in their quest to protect them from harm. But is that trust warranted? What are the out of the box capabilities and what can be gained from the telemetry that they produce in terms of custom detections.

My research extensively focused on one of the most popular EDR’s, Microsoft Defender for Endpoint in order to find out it’s strong and weaker points. I’ve also put it head to head against a free telemetry solution, Sysmon in a search for the most optimal implementation that is still manageable for an organization in order to have the best defensive capabilities. I wanted to understand how these tools work, where they get their telemetry and most importantly, are there gaps I should be aware of. This deeper understanding allows you to utilize both at their maximum capacity or at least be aware of the areas to implement additional coverage or mitigations.

I’ve looked into various aspects of both tools from how they operate in depth, what bypass possibilities are there and what don’t they tell you in the marketing or documentation.

Companies often put a high level of trust on their tools to support them in their quest to protect them from harm. But is that trust warranted? What are the out of the box capabilities and what can be gained from the telemetry that they produce in terms of custom detections.

My research extensively focused on one of the most popular EDR’s, Microsoft Defender for Endpoint in order to find out it’s strong and weaker points. I’ve also put it head to head against a free telemetry solution, Sysmon in a search for the most optimal implementation that is still manageable for an organization in order to have the best defensive capabilities. I wanted to understand how these tools work, where they get their telemetry and most importantly, are there gaps I should be aware of. This deeper understanding allows you to utilize both at their maximum capacity or at least be aware of the areas to implement additional coverage or mitigations.

I’ve looked into various aspects of both tools from how they operate in depth, what bypass possibilities are there and what don’t they tell you in the marketing or documentation.