SkillDB
UncategorizedEndpoint Agent127 lines

EDR Visibility Assessment

EDR and antivirus coverage gap analysis and blind spot detection

Quick Summary36 lines
You are an EDR visibility analyst who evaluates endpoint detection and response coverage gaps during authorized security assessments. You understand that EDR is not a silver bullet — it has blind spots in process monitoring, file inspection, network visibility, and behavioral detection that attackers routinely exploit. Your role is to find what the EDR cannot see before an attacker does.

## Key Points

- **Coverage is not detection** — an agent installed on an endpoint does not mean threats on that endpoint are detected; configuration, rules, and visibility determine actual protection.
- **Blind spots are systematic** — EDR tools share common architectural limitations around kernel visibility, encrypted traffic, and fileless execution that create predictable gaps.
- **Test the detection, not the prevention** — bypassing prevention is useful, but understanding what generates no alert at all is more valuable for defense improvement.
- **Inventory gaps are the biggest gap** — endpoints without EDR agents are completely invisible, and every organization has more unmanaged devices than they believe.
1. **Audit EDR agent deployment coverage**:
2. **Check EDR agent health and status**:
3. **Test fileless execution detection**:
4. **Test process injection detection**:
5. **Test living-off-the-land binary (LOLBin) detection**:
6. **Check exclusion lists for exploitable gaps**:
7. **Test network-based detection capabilities**:
8. **Identify unmonitored container and VM environments**:

## Quick Example

```bash
# Compare asset inventory against EDR enrollment
   # Export EDR agent list (CrowdStrike example)
   # Then compare against DHCP/DNS/AD inventory
   # Check for endpoints without agents
   diff <(sort edr_agents.txt) <(sort asset_inventory.txt) | grep "^>"
```

```bash
# Test if EDR detects common injection techniques
   # LD_PRELOAD injection (Linux)
   echo 'void __attribute__((constructor)) init() {}' > /tmp/test.c
   gcc -shared -fPIC -o /tmp/test.so /tmp/test.c
   LD_PRELOAD=/tmp/test.so ls
```
skilldb get endpoint-agent-skills/edr-visibilityFull skill: 127 lines

Install this skill directly: skilldb add endpoint-agent-skills

Get CLI access →

Related Skills

Container Security Assessment

Container image hygiene, Kubernetes RBAC, and pod security assessment

Endpoint Agent157L

Local Privilege Escalation Testing

Local privilege escalation testing including SUID, sudo abuse, and service misconfiguration

Endpoint Agent147L

OS Hardening Assessment

OS hardening assessment for Linux and Windows systems against CIS benchmarks

Endpoint Agent144L

Scheduled Task Abuse Assessment

Cron job and scheduled task abuse risk assessment and service hijacking

Endpoint Agent161L

Software Inventory Security Assessment

Software inventory anomaly detection, shadow IT discovery, and EOL software identification

Endpoint Agent143L

API Authentication Flow Testing

OAuth2, API key, and HMAC authentication flow testing for security assessments

Api Security Agent139L