1. Setting up a testing environment

#OpenEDR #xcitium #elastic

The EDR usually consists of two elements:

  • A web console where the data from the endpoints is visualized. This could be self hosted or it could be a cloud based application. This really depends on the provider.

  • The Endpoint Agent that feeds the data to the central database. The agent itself has multiple components such as kernel drivers, dlls, services etc. OpenEDR consists of these components.

There are various options when it comes to setting up a testing lab:

  • OpenEDR - offers a free EDR solution. Also the management console is cloud hosted so no additional VMs are required to start testing. The process is literally sign up > Install agent and you are good to go.

  • Elastic - offers a free EDR solution. You do however have to setup the a linux host running the monitoring console and database of the EDR. A great walkthrough (by IppSec) on how to set it up can be found on YouTube "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection"

  • Microsoft Defender for Endpoint. I have never tried it myself but Microsoft offers a 30-day trial of their business solution. This is great if you are trying to match a target environment and want to test payloads in advance. A 30-day trial however, is not great to have as a long term playground.

OpenEDR

For the sake of simplicity I will write quick walk through on how to set up OpenEDR.

  • To get started all we have to do is visit OpenEDR's website, click on "Get Started for Free".

  • We then get redirected to the following site. All we have to do is fill in the page and create an account.

  • You will then be prompted to set up a 2FA. That's highly recommended

  • After setting the 2FA up (or not) it will take a while for the account to be up and running. Be patient don't refresh halfway through the process.

  • Once all is ready we are greeted with the following window

  • All we have to do at this point is to download the MSI to the endpoint using the provided link and install it. This will enrol the endpoint to the portal.

  • The endpoint will appear in the device list on the portal if it's enrolled successfully.

  • Once enrolled we can then install the AV and EDR capabilities. That's done by selecting the asset and click the menu "Install or Manage Packages" > Install Additional Xcitium Packages

  • We will be prompted with the following window. Both Security and EDR packages should be installed. I found this part to be a bit unstable and multiple restarts were required:

  • The final step to activate all the EDR features is to click on the asset name and navigate to "Manage Profiles" on the top left

We hen click on "Add Profiles" select all of them and click on save.

We now have a free lab with an EDR agent running where we could test our payloads.

Last updated