Skip to content

ASUS AI EDR Windows telemetry#206

Open
shine0614 wants to merge 1 commit into
tsale:mainfrom
GHC-DSC:asus-ai-edr
Open

ASUS AI EDR Windows telemetry#206
shine0614 wants to merge 1 commit into
tsale:mainfrom
GHC-DSC:asus-ai-edr

Conversation

@shine0614

Copy link
Copy Markdown

🖥️ EDR Telemetry Pull Request

📝 Contribution Details

This PR adds Windows telemetry coverage based on validation and testing using the official EDR Telemetry Windows testing methodology.

Telemetry validation used the provided telemetry-generator.ps1 workflow, Atomic Red Team simulations, and manual verification via the EDR dashboard, telemetry events, and sanitized logs.

For telemetry categories not covered or reproducible through telemetry-generator.ps1 or Atomic Red Team, manual behavioral testing validated telemetry collection. This included controlled execution of Windows-native commands, PowerShell simulations, registry modifications, WMI event subscription testing, service activity, named pipe activity, and other relevant system behaviors.

For telemetry categories without directly observable native OS-level events, behavioral validation used available telemetry sources (e.g., PowerShell Script Block Logging, WMI events, service activity, and command execution evidence).

✅ Validation Details

EDR Product Information

  • EDR Product Name: ASUS AI EDR
  • EDR Version: 0.1.2.5
  • Operating System(s) Tested: Windows

📊 Telemetry Validation

We validated telemetry by:

  • Running the official Windows telemetry generation workflow (telemetry-generator.ps1)
  • Executing Atomic Red Team techniques defined in the EDR Telemetry configuration
  • Performing manual behavioral tests for telemetry categories not reproducible through existing tools
  • Verifying telemetry visibility in the EDR dashboard
  • Reviewing sanitized raw telemetry logs

🪟 Windows Telemetry Coverage Validation

Activity Category Status Notes
Process Creation Success Telemetry observed
Process Access Success Process injection activity observed
Process Tampering Activity Success Process hollowing telemetry observed
File Creation Success OSTap payload download observed
File Opened / Access Fail Validation limited by test environment. Alternative file access telemetry confirmed via Windows apps.
File Renaming Partial Fake lsass.exe created successfully but execution timed out
Local Account Creation Success User creation and admin assignment observed
Local Account Modification Success Account modification telemetry observed
TCP Connection Fail Telemetry verified using existing network telemetry methods.
URL Activity Success URL telemetry observed
DNS Query Success DNS telemetry observed
File Downloaded Success PowerShell download telemetry observed
Registry Key/Value Creation Success Registry Run Key observed
Registry Key/Value Modification Fail No Windows Atomic test available
Scheduled Task Creation Success Hidden task creation observed
Scheduled Task Modification Success Task modification observed after cleanup
Service Creation Success W64Time service creation observed
Service Modification Fail Fax service unavailable on tested Windows build
Driver Loaded Fail Partial validation performed through kernel driver service activity.
Virtual Disk Mount Fail Manual ISO mount/unmount testing performed; telemetry not directly observed.
Group Policy Modification Success Policy modification observed
Pipe Creation Fail Validated through manual Named Pipe simulation using PowerShell.
WMI Event Consumer to Filter Success WMI persistence telemetry observed
BITS Jobs Activity Success BITS telemetry observed
Script-Block Activity Partial Mimikatz execution observed, sekurlsa::logonpasswords blocked by LSASS access protection (0x00000005)

📊 Telemetry Evidence

Telemetry Evidence Notes
Process Creation event.action=process-created, event.type=creation, event.code=1 Native process telemetry observed
Process Termination event.action=process-exited, event.type=end, event.code=2 Native process telemetry observed
Process Access event.action=process-accessed, provider=Microsoft-Windows-Kernel-Audit-API-Calls, event.code=6 Process access / injection behavior observed
Win32 API Telemetry DllImport("kernel32.dll"), GetCurrentProcess() observed in Script Block Logging (4104) Observed through PowerShell Script Block Logging rather than native Win32 API ETW telemetry
Image/Library Loaded event.action=image-loaded, event.code=5 Library/module loading observed
Remote Thread Creation event.action=thread-created, event.code=3 Strong behavioral evidence of remote thread creation
Process Tampering Activity Process hollowing / tampering behavior observed Behavioral evidence validated
Process Call Stacks process.stack_trace observed Call stack telemetry available
File Creation event.action=file-created, event.code=30 Native file telemetry observed
File Opened event.action=file-opened, event.code=14 Native file telemetry observed
File Modification event.action=file-modified, event.code=16 Native file telemetry observed
File Deletion Remove-Item "$env:TEMP\EDRTestFile.txt" observed in Script Block Logging (4104) Behavioral evidence through PowerShell telemetry
File Renaming File rename behavior observed (lsass.exe rename simulation) Partial evidence due to execution limitation
Local Account Creation User creation and admin assignment observed Native account telemetry observed
Local Account Modification Account modification activity observed Native account telemetry observed
Account Login Login-related account telemetry observed Authentication event telemetry validated
Account Logoff Logoff-related account telemetry observed Authentication event telemetry validated
Local Account Deletion Account deletion behavior observed Partial behavioral evidence
TCP Connection event.category=network, event.action=connection Network telemetry observed
UDP Connection UDP traffic telemetry observed Network telemetry observed
DNS Query DNS telemetry observed Native DNS telemetry validated
URL Activity URL telemetry observed Network activity validated
File Downloaded PowerShell download activity observed Behavioral evidence validated
Script-Block Activity event.code=4104, PowerShell Script Block Logging observed PowerShell behavioral visibility available
Registry Key/Value Creation Registry Run Key observed Registry telemetry validated
Registry Key/Value Modification Registry modification behavior observed Registry telemetry validated
Registry Key/Value Deletion Remove-ItemProperty, Remove-Item HKCU:\Software\EDRTest Observed through PowerShell Script Block Logging (4104)
Scheduled Task Creation Hidden scheduled task observed Scheduler telemetry validated
Scheduled Task Modification Task modification after cleanup observed Scheduler telemetry validated
Service Creation Service installation / creation observed (W64Time, test service) Native service telemetry observed
Service Modification service_status_change observed Service telemetry validated
Driver Loaded Kernel driver service (SERVICE_KERNEL_DRIVER) observed Partial validation through driver service activity
USB Device Mount USB device mount telemetry observed Device telemetry validated
Group Policy Modification HKLM\Software\Policies\Microsoft\Windows\System registry modification observed Observed through PowerShell script block telemetry rather than native Group Policy file monitoring
Volume Shadow Copy Deletion Get-CimInstance Win32_ShadowCopy | Remove-CimInstance Behavioral evidence validated through PowerShell telemetry
Pipe Creation / Connection NamedPipeServerStream, NamedPipeClientStream observed Manual named pipe simulation performed
WmiEventConsumerToFilter WMI binding activity observed WMI persistence telemetry validated
WmiEventConsumer WMI consumer activity observed WMI persistence telemetry validated
WmiEventFilter WMI filter activity observed WMI persistence telemetry validated
BITS Jobs Activity BITS job activity observed Background transfer telemetry validated
Agent Start / Stop / Errors Agent lifecycle events observed Agent telemetry validated
Agent Keep-Alive Heartbeat / keep-alive telemetry observed Limited telemetry visibility

📃 Documentation or Evidence

📋 Proof Document

  • Screenshots attached
  • Sanitized logs provided
  • Official documentation
  • Private documentation

Evidence includes EDR dashboard screenshots and sanitized telemetry logs collected during validation.

Process Telemetry

  • Process Creation, Process Termination, Process Access
cdn
  • Win32 API Telemetry
cdn

Observed through PowerShell Script Block Logging rather than native Win32 API ETW telemetry.

  • Image/Library Loaded, Remote Thread Creation
cdn
  • Process Tampering Activity
cdn
  • Process Call Stacks
cdn

File Telemetry

  • File Creation, File Opened, File Modification
cdn
  • File Deletion
cdn

File deletion behavior observed through PowerShell Script Block Logging (4104).

  • File Renaming
cdn

Account Telemetry

  • Local Account Creation, Local Account Modification
cdn cdn
  • Account Login, Account Logoff
cdn
  • Local Account Deletion
cdn

Network Telemetry

  • TCP Connection, DNS Query
cdn
  • UDP Connection
cdn
  • File Downloaded, URL, Script-Block Activity
cdn

Registry Telemetry

  • Key/Value Creation, Key/Value Modification
cdn
  • Key/Value Deletion
cdn

Scheduled Task Telemetry

  • Scheduled Task Creation, Scheduled Task Modification
cdn

Service Telemetry

  • Service Creation, Service Modification
cdn

Driver Telemetry

  • Driver Loaded
cdn

Device Telemetry

  • USB Device Mount
cdn

Group Policy Telemetry

  • Group Policy Modification
cdn

Observed through PowerShell script block telemetry rather than native Group Policy file monitoring

  • Volume Shadow Copy Deletion
cdn

Pipe Telemetry

  • Pipe Creation
cdn

WMI Telemetry

  • WmiEventConsumerToFilter, WmiEventConsumer, WmiEventFilter
cdn

BITS Telemetry

  • BITS Jobs Activity
cdn

Agent Telemetry

  • Agent Start, Agent Stop, Agent Errors
cdn
  • Agent Keep-Alive
cdn

💡 Type of Contribution

  • Adding a new EDR product that meets eligibility criteria

Additional Notes

All testing was performed in a controlled environment.

Sensitive information present in screenshots and logs has been sanitized where applicable.

Some telemetry categories were validated through behavioral evidence (e.g., PowerShell Script Block Logging, WMI activity, service telemetry, and command execution traces) where native OS-level events were not directly observable within the current telemetry pipeline.

@shine0614 shine0614 changed the title Update EDR_telem_windows.json ASUS AI EDR Windows telemetry Jun 22, 2026
@shine0614 shine0614 marked this pull request as draft June 24, 2026 09:44
@shine0614 shine0614 marked this pull request as ready for review June 24, 2026 09:45
@shine0614 shine0614 marked this pull request as draft June 24, 2026 09:45
@shine0614 shine0614 marked this pull request as ready for review June 24, 2026 09:46
@tsale tsale self-assigned this Jul 6, 2026
@tsale tsale added the under review Evaluating proposal label Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

under review Evaluating proposal

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants