EDR vs XDR Security Tools - WhoisNexus Academy

In 2010, Antivirus was King. It worked by signature matching: "Does this file look like the 'I Love You' virus?" Today, that technology is obsolete. Hackers write polymorphic malware that changes its signature every time it runs. Enter EDR (Endpoint Detection and Response), which watches what the file does, not what it looks like.

The Flight Recorder

Think of EDR as a Black Box for your laptop. It records every process creation, every file modification, and every network connection. Even if the malware deletes itself, the EDR log remains.

1. How EDR Works: API Hooking

To watch behavior, EDR must inject itself into the Operating System. It does this via User-land Hooking and Kernel Callbacks.

1.1. User-land Hooking (DLL Injection)

When you double-click `malware.exe`, the OS loads `ntdll.dll` (the bridge to the kernel).
The EDR injects its OWN DLL (e.g., `edr.dll`) into the process memory. It overwrites the first few instructions of critical functions like `NtWriteVirtualMemory` with a `JMP` (Jump) instruction to the EDR's code.

// Normal Flow
NtWriteVirtualMemory -> Syscall -> Kernel

// EDR Hooked Flow
NtWriteVirtualMemory -> JMP to EDR.dll -> Check for Malice -> Return to Original Function
        

If the EDR sees you trying to write memory into `lsass.exe` (a technique used to steal passwords), it blocks the call and kills the process.

1.2. Kernel Callbacks

User-land hooks can be bypassed (see Section 3). So EDRs also sit in the Kernel (Ring 0). They register callbacks using Microsoft's officially supported APIs.

PsSetCreateProcessNotifyRoutine: "Tell me every time a process starts."
CmRegisterCallback: "Tell me every time a registry key changes."

2. XDR: The Bigger Picture

EDR is focused on the Endpoint (Laptop/Server).
XDR (Extended Detection and Response) connects the dots between:

Endpoint (CrowdStrike)
Network Firewall (Palo Alto)
Identity (Okta)
Email (Proofpoint)

Scenario:
1. User receives a phishing email (detected by Email Gateway).
2. User clicks link to malicious IP (detected by Firewall).
3. Laptop downloads file (detected by EDR).
XDR correlates these 3 separate low-severity alerts into 1 High-Severity Incident: "Phishing Campaign Successful".

3. EDR Evasion Techniques

Red Teamers spend their lives trying to bypass EDR.

3.1. Unhooking (Reflective DLL Loading)

Since the EDR modified the in-memory copy of `ntdll.dll` to add the hooks, the malware can just... undo it.
1. Read `ntdll.dll` from disk (clean copy).
2. Overwrite the in-memory `ntdll.dll` text section with the clean copy.
3. The EDR hooks are gone. The malware is invisible to user-land checks.

3.2. Direct Syscalls

Why use the windows API (which is hooked) at all? Use Assembly to talk to the kernel directly.

mov r10, rcx
mov eax, 18h  ; Syscall number for NtAllocateVirtualMemory
syscall       ; Go directly to kernel, bypassing EDR.dll
        

This is why Kernel-level visibility (ETW - Event Tracing for Windows) is so critical for modern defense.

4. Hunting with KQL (Kusto Query Language)

Microsoft Defender for Endpoint uses KQL. It's powerful.

// Find processes that injected code into another process
DeviceEvents
| where ActionType == "CreateRemoteThread"
| where FileName !in ("csrss.exe", "svchost.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName
        

Choosing a Tool

CrowdStrike Falcon: Market leader. Cloud-native. Lightweight agent.
SentinelOne: Strong AI/Machine Learning engine. Automated rollback (can undo ransomware encryption).
Microsoft Defender for Endpoint: Included in Windows E5 license. Massive telemetry from 1 billion Windows PCs.

EDR vs XDR vs Antivirus