EDR Telemetry Collection

Actions

1. 1

   CrowdStrike -- Export full RTR session data and detection details via the Falcon API: `GET /detects/queries/detects/v1?filter=device.hostname:"TARGET_HOST"`. Pull process tree JSON for each detection.

2. 2

   Microsoft Defender -- Run Advanced Hunting queries to extract process execution history, file events, and network connections for the investigation window. Export results to CSV for offline analysis.

3. 3

   Deploy a Velociraptor hunt across all in-scope hosts using the SANS triage collection: `velociraptor-v0.7.0 --config client.config.yaml artifacts collect Windows.KapeFiles.Targets --args target="!SANS_Triage" --output /case/host_triage/`.

4. 4

   Collect KAPE triage packages from systems without EDR coverage: `kape.exe --tsource C: --tdest \\forensic-share\case\%m --tflush --target !SANS_Triage --vhdx %m`. This captures event logs, registry hives, prefetch, amcache, shimcache, SRUM, and browser artifacts.

5. 5

   For each collected host, run Hayabusa against the event logs to generate a consolidated timeline: `hayabusa csv-timeline -d ./evtx_files/ -o timeline.csv --min-level medium -p verbose`.

6. 6

   Parse evidence of execution artifacts beyond event logs: AmCache (`AmcacheParser.exe -f AmCache.hve --csv .`), ShimCache (`AppCompatCacheParser.exe -f SYSTEM --csv .`), Prefetch (`PECmd.exe -d C:\Windows\Prefetch --csv .`), and BAM/DAM registry keys (`SYSTEM\CurrentControlSet\Services\bam\State\UserSettings`). These artifacts survive log clearing and provide execution evidence even when the attacker used `wevtutil cl` to wipe event logs.

7. 7

   Collect Windows Defender artifacts from systems where EDR may have been tampered with: quarantined files at `C:\ProgramData\Microsoft\Windows Defender\Quarantine\`, detection history at `C:\ProgramData\Microsoft\Windows Defender\Scans\History\DetectionHistory\`, and MPLog at `C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-*.log`. These provide detection evidence independent of the EDR.

Queries

DeviceProcessEvents | where DeviceName in ("HOST1","HOST2","HOST3") | where Timestamp between (datetime(T_START) .. datetime(T_END)) | project Timestamp, DeviceName, ActionType, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, SHA256 | order by DeviceName, Timestamp asc

DeviceFileEvents | where DeviceName in ("HOST1","HOST2","HOST3") | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where ActionType in ("FileCreated","FileModified","FileRenamed") | where FolderPath matches regex @"(?i)(\\temp\\|\\appdata\\|\\programdata\\|\\public\\)" | project Timestamp, DeviceName, ActionType, FileName, FolderPath, SHA256, InitiatingProcessFileName | order by Timestamp asc

DeviceRegistryEvents | where DeviceName in ("HOST1","HOST2","HOST3") | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where RegistryKey has_any ("Run","RunOnce","Services","Wow6432Node\\Run","Image File Execution Options","AppInit_DLLs") | project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName | order by Timestamp asc

index=sysmon host IN ("HOST1","HOST2","HOST3") EventCode=1 earliest=T_START latest=T_END | stats count by Computer, Image, CommandLine, User, ParentImage | sort -count

index=sysmon host IN ("HOST1","HOST2","HOST3") EventCode=11 earliest=T_START latest=T_END TargetFilename="*\\Temp\\*" OR TargetFilename="*\\AppData\\*" OR TargetFilename="*\\ProgramData\\*" | stats count by Computer, TargetFilename, Image | sort -count | head 50

Notes

Where to Go Next

Related Resources