Endpoint Detection and Response (EDR) agents operate as black boxes, providing analysts with little visibility into why a specific payload is blocked or ignored. To understand exactly how these systems function, Levi Cailleret developed an EDR introspection framework to monitor Microsoft Defender for Endpoint (MDE, MsMpEng.exe) in real time. By applying the same monitoring techniques that EDRs use against malware, they turned the tables on the agent, tracking its static checks, emulations, memory scans, and runtime tracking behavior.

Gaining control over the MDE process requires circumventing several Windows kernel protections. Because MDE runs as a Protected Process Light (PPL) anti-malware service, Cailleret used Kernel Driver Utility (KDU) to exploit vulnerable drivers and elevate their monitoring tool to the same PPL level. They then deployed EDRSandblast to disable kernel callbacks that would otherwise strip their access rights. Finally, to bypass code integrity checks requiring Microsoft-signed binaries, they reflectively injected an unsigned hooking DLL directly into Defender's ntdll.dll. This setup redirected system calls like NtOpenProcess to a custom logging function, capturing Defender's actions before returning execution to the EDR.

During a live process injection demonstration using an MSFVenom payload, this monitoring setup captured Defender's exact operational timeline. When the attack executable launched, Defender immediately read the process memory, checked ntdll.dll against a cache to ensure it was unmodified, and inspected the loader entry. When the payload launched whoami to start calc.exe, Defender executed 200 memory reads searching for shellcode, ran a fast emulation phase, and pulled file indicators to send to Microsoft.

Ultimately, Cailleret showed that while kernel exploits are necessary to inject hooks directly into the EDR, administrators can track most scanning phases without them. By correlating standard Event Tracing for Windows (ETW) channels—specifically the Anti-Malware Engine provider and Kernel Audit API calls—teams can observe static scans and memory reads using only administrative privileges. Additionally, the research confirmed that EDR triggers can be intentionally exhausted through "deconditioning." By spamming harmless actions, such as repeatedly allocating memory or dumping benign processes like explorer.exe 20 times, attackers can desensitize Defender, allowing a subsequent memory dump of LSASS to execute completely undetected.

• Security teams can monitor the exact analysis steps of Microsoft Defender for Endpoint by hooking the EDR's own ntdll.dll and intercepting its system calls.
• Gaining full access to Defender's core engine, MsMpEng.exe, requires combining tools like Kernel Driver Utility to achieve Protected Process Light (PPL) status and EDRSandblast to strip kernel callbacks.
• During a process injection attack, Defender actively verifies the integrity of loaded DLLs, performs hundreds of memory reads looking for shellcode, and executes localized emulation to identify malicious behavior.
• Administrators do not need kernel-level exploits to observe security agent behavior, as standard Event Tracing for Windows (ETW) channels and Kernel Audit API logs expose static scans, emulation runs, and process memory accesses.
• Attackers can bypass detection triggers through deconditioning, a technique that exhausts Defender's scanning engine by repeatedly executing harmless actions, such as dumping benign process memory, before targeting sensitive processes like LSASS.