{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,17]],"date-time":"2026-04-17T16:46:35Z","timestamp":1776444395118,"version":"3.51.2"},"reference-count":22,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2021,7,9]],"date-time":"2021-07-09T00:00:00Z","timestamp":1625788800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100000780","name":"European Commission","doi-asserted-by":"publisher","award":["830929, 832735"],"award-info":[{"award-number":["830929, 832735"]}],"id":[{"id":"10.13039\/501100000780","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["JCP"],"abstract":"<jats:p>Advanced persistent threats pose a significant challenge for blue teams as they apply various attacks over prolonged periods, impeding event correlation and their detection. In this work, we leverage various diverse attack scenarios to assess the efficacy of EDRs against detecting and preventing APTs. Our results indicate that there is still a lot of room for improvement as state-of-the-art EDRs fail to prevent and log the bulk of the attacks that are reported in this work. Additionally, we discuss methods to tamper with the telemetry providers of EDRs, allowing an adversary to perform a more stealth attack.<\/jats:p>","DOI":"10.3390\/jcp1030021","type":"journal-article","created":{"date-parts":[[2021,7,9]],"date-time":"2021-07-09T10:50:38Z","timestamp":1625827838000},"page":"387-421","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":49,"title":["An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors"],"prefix":"10.3390","volume":"1","author":[{"given":"George","family":"Karantzas","sequence":"first","affiliation":[{"name":"Department of Informatics, University of Piraeus, 80 Karaoli & Dimitriou Str., 18534 Piraeus, Greece"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4460-9331","authenticated-orcid":false,"given":"Constantinos","family":"Patsakis","sequence":"additional","affiliation":[{"name":"Department of Informatics, University of Piraeus, 80 Karaoli & Dimitriou Str., 18534 Piraeus, Greece"},{"name":"Information Management Systems Institute, Athena Research Center, Artemidos 6, 15125 Marousi, Greece"}]}],"member":"1968","published-online":{"date-parts":[[2021,7,9]]},"reference":[{"key":"ref_1","unstructured":"Forum, W.E. (2021, July 08). Wild Wide Web Consequences of Digital Fragmentation. Available online: https:\/\/reports.weforum.org\/global-risks-report-2020\/wild-wide-web\/."},{"key":"ref_2","unstructured":"Oltsik, J. (2021, July 08). 2017: Security Operations Challenges, Priorities, and Strategies. Available online: http:\/\/pages.siemplify.co\/rs\/182-SXA-457\/images\/ESG-Research-Report.pdf."},{"key":"ref_3","unstructured":"Chuvakin, A. (2021, July 08). Named: Endpoint Threat Detection & Response. Available online: https:\/\/blogs.gartner.com\/anton-chuvakin\/2013\/07\/26\/named-endpoint-threat-detection-response\/."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"6","DOI":"10.1016\/S1353-4858(20)30104-5","article-title":"The problem with (most) network detection and response","volume":"2020","author":"Campfield","year":"2020","journal-title":"Netw. Secur."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Hassan, W.U., Bates, A., and Marino, D. (2020, January 18\u201321). Tactical provenance analysis for endpoint detection and response systems. Proceedings of the 2020 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA.","DOI":"10.1109\/SP40000.2020.00096"},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Chen, P., Desmet, L., and Huygens, C. (2014). A study on advanced persistent threats. IFIP International Conference on Communications and Multimedia Security, Springer.","DOI":"10.1007\/978-3-662-44885-4_5"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Giura, P., and Wang, W. (2012, January 14\u201316). A Context-Based Detection Framework for Advanced Persistent Threats. Proceedings of the 2012 International Conference on Cyber Security, Alexandria, VA, USA.","DOI":"10.1109\/CyberSecurity.2012.16"},{"key":"ref_8","first-page":"54","article-title":"Targeted Cyberattacks: A Superset of Advanced Persistent Threats","volume":"11","author":"Sood","year":"2013","journal-title":"IEEE Secur. Priv."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Brogi, G., and Tong, V.V.T. (2016, January 21\u201323). Terminaptor: Highlighting advanced persistent threats through information flow tracking. Proceedings of the 2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS), Larnaca, Cyprus.","DOI":"10.1109\/NTMS.2016.7792480"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"1851","DOI":"10.1109\/COMST.2019.2891891","article-title":"A survey on advanced persistent threats: Techniques, solutions, challenges, and research opportunities","volume":"21","author":"Alshamrani","year":"2019","journal-title":"IEEE Commun. Surv. Tutorials"},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"7","DOI":"10.1016\/S1353-4858(17)30037-5","article-title":"Fileless attacks: Compromising targets without malware","volume":"2017","year":"2017","journal-title":"Netw. Secur."},{"key":"ref_12","unstructured":"Campbell, C., Graeber, M., Goh, P., and Bayne, J. (2021, July 08). Living Off The Land Binaries and Scripts. Available online: https:\/\/lolbas-project.github.io\/."},{"key":"ref_13","first-page":"80","article-title":"Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains","volume":"1","author":"Hutchins","year":"2011","journal-title":"Lead. Issues Inf. Warf. Secur. Res."},{"key":"ref_14","unstructured":"Strom, B.E., Applebaum, A., Miller, D.P., Nickels, K.C., Pennington, A.G., and Thomas, C.B. (2018). Mitre att&ck: Design and philosophy. Tech. Rep."},{"key":"ref_15","unstructured":"Symantec Enterprise (2021, July 08). Threat Landscape Trends\u2014Q3 2020. Available online: https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/threat-landscape-trends-q3-2020."},{"key":"ref_16","unstructured":"Microsoft (2021, July 08). Memory-Mapped Files. Available online: https:\/\/docs.microsoft.com\/en-us\/dotnet\/standard\/io\/memory-mapped-files."},{"key":"ref_17","unstructured":"Osborne, C. (2021, July 08). Hackers Exploit Windows Error Reporting Service in New Fileless Attack. Available online: https:\/\/www.zdnet.com\/article\/hackers-exploit-windows-error-reporting-service-in-new-fileless-attack\/."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"393","DOI":"10.1016\/j.future.2020.11.004","article-title":"Resurrecting anti-virtualization and anti-debugging: Unhooking your hooks","volume":"116","author":"Apostolopoulos","year":"2021","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_19","unstructured":"de Plaa, C. (2021, July 08). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV\/EDR. Available online: https:\/\/outflank.nl\/blog\/2019\/06\/19\/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr\/."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"1","DOI":"10.4018\/irmj.2011070101","article-title":"Social Engineering: The Neglected Human Factor for Information Security Management","volume":"24","author":"Luo","year":"2011","journal-title":"Inf. Resour. Manag. J. (IRMJ)"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"424","DOI":"10.1016\/j.sbspro.2014.07.133","article-title":"The human factor of information security: Unintentional damage perspective","volume":"147","author":"Metalidou","year":"2014","journal-title":"Procedia-Soc. Behav. Sci."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"4986","DOI":"10.1007\/s11227-018-2337-2","article-title":"Security threats to critical infrastructure: The human factor","volume":"74","author":"Ghafir","year":"2018","journal-title":"J. Supercomput."}],"container-title":["Journal of Cybersecurity and Privacy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2624-800X\/1\/3\/21\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T06:28:27Z","timestamp":1760164107000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2624-800X\/1\/3\/21"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,7,9]]},"references-count":22,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2021,9]]}},"alternative-id":["jcp1030021"],"URL":"https:\/\/doi.org\/10.3390\/jcp1030021","relation":{},"ISSN":["2624-800X"],"issn-type":[{"value":"2624-800X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,7,9]]}}}