No Agent, No Problem: Discovering Remote EDR
Jonathan Johnson
SAINTCON 2025 · Day 1 · Main Track 2
In the SAINTCON talk "No Agent, No Problem: Discovering Remote EDR," Jonathan Johnson, a Principal Windows Product Researcher at Huntress, unveiled groundbreaking research demonstrating the capability to build a fully functional, agentless Endpoint Detection and Response (EDR) solution leveraging only built-in Windows features. The presentation meticulously details how **Event Tracing for Windows (ETW)**, in conjunction with the **Performance Logs and Alerts (PLA)** protocol and its underlying **DCOM interfaces**, can be manipulated to remotely enumerate, create, and control ETW trace sessions across a network. This innovative approach challenges conventional EDR deployment models, offering a stealthy and resource-efficient method for telemetry collection.