Virtually every adversary, whether they’re a malicious actor or part of a commercial red team, will sometimes run into defensive products that compromise their operations. Of these defensive products, endpoint detection and response (EDR) presents the largest risk to the post-exploitation phase of an attack. Generally speaking, EDRs are applications installed on a target’s workstations or servers that are designed to collect data about the security of the environment, called telemetry.

In this chapter, we discuss the components of EDRs, their methods of detecting malicious activity on a system, and their typical designs. ...