Endpoint Security Effectiveness
Overview
Endpoint Security Effectiveness gives you visibility into how your Endpoint Detection and Response (EDR) tools perform during a NodeZero Internal pentest.
The feature shows:
- Which hosts have an EDR deployed, and which do not.
- Which NodeZero actions were blocked by the EDR and which were permitted.
- How different EDR vendors performed across your environment.
This data helps you confirm where EDR protections are working, and where gaps, misconfigurations, or silent failures exist
How It Works
During a pentest, NodeZero attempts attacker behaviors on target hosts and records whether the EDR on the host blocked or permitted each action. The results are then published in the “EDR” tab of the pentest results page. NodeZero is able to detect over 40 EDR vendors including SentinelOne, Crowdstrike, Microsoft Defender. Please contact us if you’d like to see the full list of supported vendors.
To ensure that NodeZero is able to access the host and analyze EDR performance, the following criteria have to be met:
- The host is running Windows (Linux is not currently supported)
- NodeZero has admin level credentials to the host (this could be a local admin, a domain user with admin privileges or a domain admin) with remote access to WMI (port 135). In some cases, NodeZero is still able to analyze the EDR on a host by exploiting a vulnerability on the host or an admin-level credential.
- If a domain credential is being used, the domain controller needs to be in scope of the pentest. This can be modified via the template for the pentest.
Note
To get the best results out of NodeZero’s EDR testing, we strongly recommend you inject admin level credentials as a part of the pentest definition via the pentest’s template page. This will give NodeZero the proper access it needs to run EDR tests on the hosts that are in scope.
Analyzing EDR Results
The “EDR” section in the Internal Pentest results page gives you access to an overview of EDR findings and analysis that you can use to tune your EDR configuration.
The EDR tab contains the following information:
- Coverage overview: Number of hosts with EDR detected, not detected, detection unsuccessful, or not attempted.
- EDR vendor breakdown: Which EDR vendors were discovered and data on the percentage of actions blocked or permitted by one or more EDRs on each host.
- Downstream impacts: Potential consequences if actions were permitted (e.g., credential theft, domain compromise).
- MITRE mapping: Each permitted action is mapped to a MITRE ATT&CK tactic
The Hosts table contains the following information:
- Details for each host: hostname, IP, criticality, detected vendor, number of permitted events, and downstream impacts.
- Filters let you drill down by vendor or high-value asset
To get more information about which specific NodeZero actions were denied or permitted, you can click into a specific host and see details on specific actions.
For each host you can see:
- Timeline of actions attempted by NodeZero.
- Outcome: blocked vs permitted.
- Severity rating: Critical, High, Medium, Low.
- Weakness mapping: Permitted actions linked to CVEs or known weaknesses.
- Proofs and timestamps: Command output and exact execution time for correlation with EDR logs
The EDR Host events table contains rows for each event that occurred on this host. See the following screenshot for example:
Clicking on the Proof for a given event row shows the proof for that event:
Clicking on the Commands link for a given event shows a list of commands associated with this event: