omcyber10/Endpoint-Detection-and-Response-EDR-LimaCharlie

# Endpoint Detection & Response (EDR) Lab using LimaCharlie     # Project Overview This project demonstrates a hands-on Endpoint Detection & Response (EDR) lab using LimaCharlie to simulate and investigate suspicious endpoint activity related to LSASS credential dumping. The objective of this lab was to: - Deploy and configure LimaCharlie sensors - Generate endpoint telemetry - Simulate credential dumping activity - Trigger EDR detections - Investigate alerts and suspicious processes - Map findings to MITRE ATT&CK techniques # Technologies Used - LimaCharlie EDR - Windows Endpoint - PowerShell - MITRE ATT&CK Framework - Detection Engineering - Threat Hunting Concepts # EDR Lab Architecture +----------------------+ | Windows Endpoint | +----------------------+ | v +----------------------+ | LimaCharlie Sensor | +----------------------+ | v +----------------------+ | Endpoint Telemetry | | Process Events | | PowerShell Activity | | Command-Line Logs | +----------------------+ | v +----------------------+ | Detection Engine | | Behavioral Rules | | IOC Matching | +----------------------+ | v +----------------------+ | Security Alerts | | Detection Events | +----------------------+ | v +----------------------+ | SOC Investigation | | Threat Analysis | | MITRE ATT&CK Mapping | +----------------------+ # Sensor Deployment ## Downloading LimaCharlie Sensor  ## Sensor Installation  ## Agent Installed Successfully  # Sensor Management ## Sensor List  ## Sensor Overview  # Attack Simulation ## PowerShell Preparation  ## LSASS Dump Simulation  The following command was executed to simulate credential dumping behavior: rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump 1436 C:\Windows\Temp\lsass.dmp full MITRE ATT&CK Technique: - T1003.001 — OS Credential Dumping: LSASS Memory # Detection & Telemetry ## Detection Dashboard  ## Detection Events  Detections triggered during the simulation: - LSASS Dump Keyword In CommandLine - Potentially Suspicious Rundll32 Activity - Process Memory Dump via Comsvcs.DLL - PowerShell Spawning Rundll32 # Investigation Report  The investigation identified suspicious credential dumping behavior using rundll32.exe and comsvcs.dll MiniDump functionality targeting the LSASS process. Indicators observed: - Suspicious command-line arguments - Credential dumping behavior - PowerShell spawning rundll32.exe - Creation of lsass.dmp - High severity EDR detections # Skills Demonstrated - Endpoint Detection & Response (EDR) - Threat Detection - SOC Investigation Workflow - Threat Hunting - PowerShell Analysis - Detection Engineering - MITRE ATT&CK Mapping - Security Telemetry Analysis # Project Outcome This lab successfully demonstrated how EDR platforms detect, analyze, and investigate suspicious credential dumping activity using behavioral telemetry and detection logic. The project also provided hands-on experience with SOC workflows, alert triaging, and endpoint investigation techniques.