search

1. Setting up a testing environment

#OpenEDR #xcitium #elastic

hashtag
The EDR usually consists of two elements:

  • A web console where the data from the endpoints is visualized. This could be self hosted or it could be a cloud based application. This really depends on the provider.

  • The Endpoint Agent that feeds the data to the central database. The agent itself has multiple components such as kernel drivers, dlls, services etc. OpenEDR consists of these componentsarrow-up-right.

hashtag
There are various options when it comes to setting up a testing lab:

  • OpenEDR - offers a free EDR solution. Also the management console is cloud hosted so no additional VMs are required to start testing. The process is literally sign up > Install agent and you are good to go.

  • Elastic - offers a free EDR solution. You do however have to setup the a linux host running the monitoring console and database of the EDR. A great walkthrough (by IppSecarrow-up-right) on how to set it up can be found on YouTube "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collectionarrow-up-right"

  • Microsoft Defender for Endpoint. I have never tried it myself but Microsoft offers a 30-day trial of their business solutionarrow-up-right. This is great if you are trying to match a target environment and want to test payloads in advance. A 30-day trial however, is not great to have as a long term playground.

hashtag
OpenEDRarrow-up-right

For the sake of simplicity I will write quick walk through on how to set up OpenEDR.

OpenEDR landing page

  • We then get redirected to the following site. All we have to do is fill in the page and create an account.

Fill In the Form

  • You will then be prompted to set up a 2FA. That's highly recommended

2FA setup

  • After setting the 2FA up (or not) it will take a while for the account to be up and running. Be patient don't refresh halfway through the process.

Waiting for the Portal privisioning

  • Once all is ready we are greeted with the following window

Install the Agent

  • All we have to do at this point is to download the MSI to the endpoint using the provided link and install it. This will enrol the endpoint to the portal.

Enrol using the installer

  • The endpoint will appear in the device list on the portal if it's enrolled successfully.

Host EDR_Test enrolled in the portal

  • Once enrolled we can then install the AV and EDR capabilities. That's done by selecting the asset and click the menu "Install or Manage Packages" > Install Additional Xcitium Packages

Install Additional Xcitium Packages

  • We will be prompted with the following window. Both Security and EDR packages should be installed. I found this part to be a bit unstable and multiple restarts were required:

Install packages

  • The final step to activate all the EDR features is to click on the asset name and navigate to "Manage Profiles" on the top left

Manage Profiles

We hen click on "Add Profiles" select all of them and click on save.

Profiles assigned to the asset

We now have a free lab with an EDR agent running where we could test our payloads.

Last updated