{"id":10384,"date":"2025-04-16T11:59:00","date_gmt":"2025-04-16T10:59:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/leveraging-edr-behavioral-data-for-zero-day-vulnerability-discovery-and-triage-of-known-vulnerabilities\/"},"modified":"2025-04-16T11:59:00","modified_gmt":"2025-04-16T10:59:00","slug":"leveraging-edr-behavioral-data-for-zero-day-vulnerability-discovery-and-triage-of-known-vulnerabilities","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/leveraging-edr-behavioral-data-for-zero-day-vulnerability-discovery-and-triage-of-known-vulnerabilities\/","title":{"rendered":"Leveraging EDR Behavioral Data for Zero-Day Vulnerability Discovery and Triage of Known Vulnerabilities"},"content":{"rendered":"\n
\n
\n

\n Leveraging EDR Behavioral Data for Zero-Day Vulnerability Discovery and Triage of Known Vulnerabilities<\/span><\/h1>
\n
\n \n \n Attack Detection <\/span>\n \n Dfir <\/span>\n \n Endpoint Security <\/span>\n <\/span>\n \n 16 4\u6708, 2025 <\/span>\n <\/div>\n <\/div>\n <\/div>\n
\n
\n

\n \u30b7\u30a7\u30a2\u3059\u308b <\/p>\n

\n \n \n
\n
\n
\n \"\" <\/figure>\n <\/div>\n <\/div>\n<\/section>\n\n\n\n
\n
\n
\n

\n Authors <\/p>\n \n

\n
\n
\n \n \n <\/path>\n <\/path>\n <\/svg>\n <\/span>\n <\/div>\n
\n

Jarno Niemela<\/h3>\n \n \n <\/div>\n\n<\/div>\n\n <\/div>\n\n <\/div>\n\n
\n
\n

\n Share this story <\/p>\n

\n \n \n
\n
\n

At WithSecure, we have the benefit of a comprehensive set of capabilities, allowing us to conduct research on how to better integrate our various services.<\/h2>\n

One such topic has been the use of behavioral information provided by Endpoint Detection and Response (EDR) to detect potential privilege escalation vulnerabilities.\u00a0This approach serves both as a means of verifying and triaging known vulnerabilities to confirm their exploitability on a host, and more interestingly, it enables us to discover novel vulnerabilities that have not yet been reported or abused in the wild.<\/p>\n

What we are doing is monitoring the host for behavioral artifacts from privileged processes that indicate a possible way for adversaries to subvert the intended operation of that process. Essentially, it is a real-time, behavior-based access rights audit that focuses solely on activities occurring within a given host. Every host that has been in use for an extended period has a very extensive list of misconfigurations, but only those utilized by privileged processes are significant.<\/p>\n

Our goal is to cover unknown vulnerabilities through our protection stack. We aim to prevent vulnerabilities from being exploited with the \u2018DeepGuard\u2019 component of WithSecure EPP, detect exploitation if it occurs with EDR, inform customers of exploitable vulnerabilities, and provide recommendations through Exposure Management. Essentially, we strive to protect our customers pre-zero day, meaning they would be safeguarded before any human is aware of the vulnerability’s existence.<\/p>\n

The method we discovered has proven to be quite fruitful. In fact, it has been so effective that we got around one hundred potential vulnerability discoveries to triage. We have been busy sorting out which ones are already known, and which appear to be novel, and we have been reporting the latter to vendors.<\/p>\n

Last week, we reached a milestone with our first vulnerability,\u00a0WITH-ZD-2025-0001<\/a>, getting patched and announced by a vendor in their release notes.\u00a0FileWave Version 16.0.2<\/a>. This vulnerability applies only in specific configurations, highlighting the effectiveness of behavior-based verification and triage. Not only have we discovered a new vulnerability, but we are also capable of detecting it only on hosts where the vulnerability is in an exploitable state.<\/p>\n

There are many more vendor notifications in the works, but having the first one publicly announced by the software vendor is a milestone worth celebrating.<\/p>\n<\/div>\n\n

\n
\n

\n Share this story <\/p>\n

\n \n \n
\n
\n
\n
\n

\n What next?<\/span><\/h2>
\n
\n

Discover WithSecure\u2122 Elements Exposure Management.
\n– No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n <\/div>\n <\/div>\n

\n Contact us<\/a> <\/div>\n <\/div> <\/div>\n <\/div>\n<\/section>\n\n\n\n\n\n
\n
\n

\n Related Labs content<\/span><\/h2>
\n
\n
\n

Find related content relating to this topic.<\/span><\/p>\n<\/div>\n <\/div>\n <\/div>\n <\/div> \n

\n
\n
\n
\n \"\"

W\/\u30e9\u30dc<\/p>\n <\/div>\n

\n
\n
\n Attack Detection<\/span>\n Software Protection<\/span>\n Threat intelligence<\/span>\n <\/div>\n <\/div>\n

DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n

Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n

\n \u3082\u3063\u3068\u8aad\u3080<\/a> <\/div>\n <\/div>\n<\/div> <\/div>\n
\n
\n
\n \"\"

W\/\u30e9\u30dc<\/p>\n <\/div>\n

\n
\n
\n Attack Detection<\/span>\n Software Protection<\/span>\n Threat intelligence<\/span>\n <\/div>\n <\/div>\n

Reverse engineering a Lumma infection<\/h3>\n

Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n

\n \u3082\u3063\u3068\u8aad\u3080<\/a> <\/div>\n <\/div>\n<\/div> <\/div>\n
\n
\n
\n \"\"

W\/\u30e9\u30dc<\/p>\n <\/div>\n

\n
\n
\n AI security<\/span>\n Attack Detection<\/span>\n Software Protection<\/span>\n <\/div>\n <\/div>\n

Machine learning-driven malware analysis<\/h3>\n

With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n

\n \u3082\u3063\u3068\u8aad\u3080<\/a> <\/div>\n <\/div>\n<\/div> <\/div>\n <\/div>\n
\n
\n <\/div>\n
\n
\n

At WithSecure, we have the benefit of a comprehensive set of capabilities, allowing us to conduct research on how to better integrate our various services.<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[314,340,332],"labs_content_type":[349],"class_list":["post-10384","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-dfir","category-endpoint-security"],"acf":[],"card":"

\n
\n \"\"

W\/\u30e9\u30dc<\/p>\n <\/div>\n

\n
\n
\n Attack Detection<\/span>\n Dfir<\/span>\n Endpoint Security<\/span>\n <\/div>\n <\/div>\n

Leveraging EDR Behavioral Data for Zero-Day Vulnerability Discovery and Triage of Known Vulnerabilities<\/h3>\n

At WithSecure, we have the benefit of a comprehensive set of capabilities, allowing us to conduct research on how to better integrate our various services.<\/p>\n

\n \u3082\u3063\u3068\u8aad\u3080<\/a> <\/div>\n <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/lab_item\/10384","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/media?parent=10384"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/categories?post=10384"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/labs_content_type?post=10384"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}