PRACTITIONER GUIDE
Practitioner GuideUpdated 14 min read

EDR Coverage Gaps: The Blind Spots Your Endpoint Detection Is Missing

25-40%
of devices in a typical enterprise are unmanaged (IoT, OT, personal devices, network equipment), invisible to EDR entirely
Ring -2
hypervisor-level execution (below Ring 0 where the OS kernel runs) is completely invisible to any EDR agent running inside the OS
LOLBins
Living-off-the-land binaries, signed Microsoft executables used maliciously, are the most common EDR evasion technique; detection requires behavioral context, not file signatures

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

EDR solutions are the backbone of modern endpoint security, but every security team that relies on them exclusively has blind spots they may not be aware of. EDR agents run inside the operating system, which means anything that runs below the OS, outside of managed devices, or in ways that abuse the OS's own trusted processes has a structural advantage. Understanding the specific categories of EDR coverage gaps allows security teams to design compensating controls that close the most critical exposure before those gaps are exploited.

Gap 1: Unmanaged and BYOD Devices

The most pervasive EDR gap is the simplest: devices that do not have an EDR agent installed. In a typical enterprise, 25-40% of network-connected devices have no EDR coverage.

Categories of unmanaged devices

Network infrastructure (switches, routers, firewalls, no agent support), IoT devices (cameras, badge readers, building systems), OT/ICS systems (PLCs, SCADA HMIs, often cannot run modern OS software), personal BYOD devices used for corporate email or VPN access, and contractor/vendor laptops that are not joined to your domain. Any attacker who establishes a foothold on any of these devices is in a network-adjacent position invisible to your EDR.

Compensating control: network detection and response (NDR)

NDR solutions (Darktrace, ExtraHop, Corelight, Vectra) analyze network traffic rather than host telemetry. They can detect lateral movement, C2 beaconing, and exfiltration from any device on the network segment, regardless of whether that device has an EDR agent. NDR is particularly valuable for OT/ICS environments where EDR deployment is not feasible. Deploy network sensors at key chokepoints: core switch SPAN ports, east-west DMZ, cloud VPC traffic mirroring.

Compensating control: network access control (NAC)

NAC solutions (Cisco ISE, Aruba ClearPass, Forescout) enforce device posture requirements before granting network access. Configure NAC to require a running EDR agent for full network access, and place unmanaged devices in a restricted VLAN with limited connectivity. Forescout agentless assessment can fingerprint devices that cannot run agents and classify them by type for network segmentation decisions.

Gap 2: Below-OS Execution

EDR agents run inside the operating system kernel. Execution that happens before the OS loads, or in a hypervisor layer below the OS, is structurally invisible to any EDR agent.

UEFI and firmware rootkits

UEFI bootkit malware (BlackLotus, CosmicStrand, MoonBounce) runs before the OS boots and persists across OS reinstallation. A firmware rootkit can modify the OS as it loads, inject code into kernel processes, and survive any in-OS remediation. EDR cannot detect or remediate firmware attacks. Compensating controls: enable Secure Boot and enforce it via hardware policy, enable BIOS/UEFI tamper protection, run periodic firmware integrity checks using vendor firmware validation tools (Dell Command | Security Manager, HP Sure Start), and require hardware-level attestation for high-value endpoints.

Hypervisor-level attacks (Ring -1 / Ring -2)

Virtualization-based attacks that run at the hypervisor level (below the OS kernel) are invisible to any agent running inside a VM or the OS. Blue Pill-style attacks install a hypervisor beneath the running OS to intercept system calls and hide malicious activity. These remain primarily in the nation-state toolset rather than commodity malware. Compensating controls: Virtualization-Based Security (VBS) on Windows with Secure Boot prevents most hypervisor injection attacks by ensuring only authorized code can run in the hypervisor layer.

Memory-only attacks with no disk artifacts

Fileless malware that executes entirely in memory, injected via document macros, PowerShell scripts, or process injection, can evade EDR agents that rely primarily on file scanning. Modern EDRs use behavior-based detection and memory scanning to catch most in-memory techniques, but novel shellcode injection methods that bypass API hooks remain a gap. Compensating control: Microsoft Attack Surface Reduction (ASR) rules block the most common injection primitives regardless of payload content. Enable ASR rules: block executable content from email, block process creation from Office macros, block credential stealing from LSASS.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Gap 3: Trusted Process Abuse (LOLBins)

Living-off-the-land binaries are signed, legitimate Windows or macOS tools used maliciously. EDR detects most, but detection requires behavioral context that is sometimes incomplete.

Commonly abused Windows LOLBins

certutil.exe (download and decode files), msiexec.exe (install from remote URL), regsvr32.exe (load COM objects from remote SCT files), wmic.exe (execute processes and spawn child processes), mshta.exe (execute HTA applications from URLs), bitsadmin.exe (file transfer and persistence), rundll32.exe (execute DLL exports). All are signed Microsoft binaries. EDR detects abuse through behavioral context: msiexec spawning cmd.exe is anomalous; standalone msiexec for software installation is not.

Detecting LOLBin abuse in EDR telemetry

The detection is behavioral, not signature-based. In CrowdStrike Falcon or Microsoft Defender, configure custom detection rules for: certutil.exe with -decode or -urlcache arguments; regsvr32.exe with a remote URL argument; mshta.exe spawning any child process; wmic.exe process call create with a network path argument. These command-line patterns are almost never legitimate and indicate active abuse.

macOS LOLBins and trusted tool abuse

macOS equivalents: curl and wget (network download, often used in persistence scripts), osascript (AppleScript execution, can automate GUI actions including privilege escalation dialogs), launchctl (load LaunchAgent/LaunchDaemon for persistence), python3 (execute arbitrary code, spawn reverse shells). Alert in your EDR on: osascript spawning any child process other than AppleScript-controlled applications; launchctl load with a path under /tmp or a user Downloads directory.

Gap 4: Legitimate Remote Administration and Cloud Tools

Attackers increasingly use remote administration tools (RATs) and cloud services that EDR vendors cannot block without breaking legitimate use cases.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Closing the Gaps: A Layered Approach

No single tool closes all EDR gaps. A defense-in-depth architecture distributes detection across multiple layers so no single gap creates a blind spot.

The recommended stack

EDR for managed endpoints (primary behavioral detection layer). NDR for network-level visibility across all devices. DNS security gateway for C2 beaconing and exfiltration detection. SIEM for correlation across all sources. CNAPP or CSPM for cloud workloads that cannot run EDR agents. Deception technology (canary tokens, honeypots) to catch lateral movement in areas where active monitoring has gaps.

Prioritize EDR deployment on high-value targets

If your EDR deployment is below 100%, prioritize: all privileged accounts' workstations (domain admins, cloud admins, finance), all systems with access to production databases and code repositories, all internet-facing systems, and all CI/CD build agents. An attacker who compromises a build agent with no EDR coverage has access to your entire deployment pipeline and all production credentials it uses.

The bottom line

EDR is necessary but not sufficient. The gaps are structural: unmanaged devices, below-OS execution, LOLBin abuse, and legitimate-tool C2 all have inherent limits on EDR visibility. Know your gaps, instrument them with compensating controls, NDR for unmanaged devices, ASR rules for LOLBin primitives, DNS logging for C2, behavioral alerts for RMM tools outside business hours, and accept that no single detection layer provides complete coverage. The goal is enough overlapping sensors that no single gap creates a complete blind spot.

Frequently asked questions

Can EDR detect if an attacker is using a signed, legitimate binary maliciously?

Modern EDRs detect most LOLBin abuse through behavioral analysis, they look at the process tree, parent-child relationships, command-line arguments, and network connections rather than just file hashes. But detection is tuning-dependent: an EDR with default configuration will catch many LOLBin patterns; a well-tuned EDR with environment-specific exclusion rules is more accurate. The edge cases EDR misses are typically new LOLBin combinations that have not been added to the vendor's behavior library yet.

Does Microsoft Defender for Endpoint protect against firmware attacks?

Microsoft Defender for Endpoint includes Secured-Core PC protections when running on hardware that supports them: Secure Boot, UEFI BIOS firmware scanning, and Virtualization-Based Security (VBS). On older hardware without Secured-Core support, firmware attacks that run before the OS loads are outside MDE's detection capability. UEFI rootkits specifically require a platform with UEFI firmware scanning capabilities, not all enterprise hardware has this.

What is the EDR gap for container workloads?

Traditional EDR agents run in the host OS and can observe container processes, but with limited container context, they see the process tree on the host but may not attribute it to a specific container, pod, or deployment. For Kubernetes, runtime security tools like Falco (eBPF-based) or Aqua Security provide container-native behavioral detection that understands pod labels, namespaces, and image provenance. The recommended approach is host-level EDR plus a container-native runtime security tool.

How do attackers evade memory-based detection in EDR?

Common memory detection evasion techniques include: direct syscall invocation (bypasses user-mode API hooks where many EDRs monitor), heap spraying with NtAllocateVirtualMemory (avoids common shellcode injection patterns), stomping EDR hooks by overwriting ntdll.dll's .text section with a clean copy from disk, and using hardware breakpoints to detect when EDR hooks are called. These are advanced techniques primarily used by sophisticated threat actors, they require custom tooling and deep knowledge of the target EDR's hooking mechanism.

How do I evaluate whether my EDR will detect a specific MITRE ATT&CK technique?

Test EDR detection coverage using three methods: (1) Atomic Red Team (invoke-atomicredteam PowerShell module) — run the atomic test for the specific ATT&CK technique (e.g., Invoke-AtomicTest T1003.001 for LSASS dumping) and check whether your EDR generated an alert within 5 minutes. (2) MITRE ATT&CK Evaluations — review Mitre's published evaluation results for your EDR vendor at attackevals.mitre.org, which shows detection rates for each technique in the evaluated adversary emulation. (3) Purple team exercises — work with a red team to perform technique-specific simulations in your production environment while your SOC monitors for detections in real time. Document both detected and missed techniques to build your coverage map.

How should a security team operationalize EDR telemetry for faster threat hunting when no alert fires?

Proactive threat hunting against EDR telemetry requires three operational components that most teams build in the wrong order. First, establish a baseline by running a 30-day statistical summary of process execution frequency per host group: commands executed fewer than 5 times across your entire fleet in 30 days are high-signal candidates because rare execution is the most reliable proxy for attacker tooling. Second, write standing hunting queries against specific LOLBin parent-child relationships that your EDR vendor does not alert on by default -- examples include wscript.exe spawning powershell.exe, msbuild.exe making network connections, and regsvr32.exe with a network path argument where the extension is not .dll. Third, schedule structured hunting runs tied to newly published threat actor TTPs rather than running ad hoc hunts: when a new Lazarus Group or APT41 campaign report publishes, extract the process names and command-line patterns and run them against 90 days of EDR telemetry within 48 hours. Teams that hunt reactively to reports consistently find historical evidence of intrusion they missed in real time.

Sources & references

  1. CrowdStrike Falcon documentation
  2. Microsoft Defender for Endpoint
  3. NSA: Enduring Security Framework, Defending OT
  4. MITRE ATT&CK: Defense Evasion

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Related Questions: Answer Hub

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.