Forum Discussion

DS99's avatar
DS99
Copper Contributor
Mar 07, 2025

Alerts doesn't works? - EDR source

Hi, I'm new to Defender and I want to understand a couple of things. I deployed Defender P2 on a windows host and I tried to attack it with rdp brute force. The Timeline show me that the techn...
DS99's avatar
DS99
Copper Contributor
Mar 10, 2025

Hi DylanInfosec,

thank you very much for the explanation on the rdp part, it was very thorough.

In this moment i'm more interested on the linux part because I ran various test with the https://github.com/redcanaryco/atomic-red-team and the and I can't understand if it's normal that they aren't detected, but probably yes.

This is the rootkit test that I mentioned and I can't see the alert: 

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md#atomic-test-3---dynamic-linker-based-rootkit-libprocesshider

I also tried these https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md and these works with the alert:

I also ran the default test for onboarding on linux (as you mentioned before) and it works as expected, so the defender is installed correctly.

So my opinion at the momenti is that the Windows part is accurately.

Instead, the linux part not so much.

Thanks in advance for the help

 

Resources