EDR has become the cornerstone of modern detection strategies, and rightfully so. But beneath its polished dashboards lies an inconvenient truth: EDR telemetry is constrained by design. Vendors must balance coverage against performance, cost, and stability, leaving defenders with blind spots that are poorly documented and rarely configurable. Even when EDRs do monitor certain events such as registry key modifications, coverage is not guaranteed across all keys. Defenders often discover these gaps through trial and error, and coverage can shift silently between EDR updates. This is the cost of relying on black boxes. We believe defenders need to reclaim certain capabilities, whether to fill gaps or to double their logging as an additional safety net.
Meanwhile, Windows has quietly offered a powerful, underutilized capability for years: System Access Control Lists (SACLs). These native audit mechanisms allow granular monitoring of access to securable objects, including read operations that some major EDRs simply ignore. This gap matters. Detecting reconnaissance, credential access, or stealthy data collection often depends on visibility into exactly these events. SACLs also unlock a particularly elegant detection strategy: honeypot accounts. By auditing read access to decoy objects in Active Directory, defenders can catch enumeration activity with very low false positives, something EDR telemetry alone cannot achieve.
This talk begins with a technical primer on SACLs: what they are, what they look like, and what kind of events they produce. From there, we will examine what EDRs miss and why, then demonstrate that while default SACL configurations exist on Windows Server and Domain Controllers, they are insufficient in certain conditions. We will walk through real-world examples such as DCSync where default audit settings fail to generate the events defenders expect. We will also briefly discuss the limitations of SACLs themselves, because no solution is without trade-offs.
Our research has focused on three object types: files, registry keys, and Active Directory objects. While we cannot disclose every detection rule we have developed and deployed, we will share some configurations that are well-established, essential, and probably should have been enabled by default.
Beyond the theory, we will address the real barrier to SACL adoption: maintenance and deployment at scale. Managing SACLs manually across an enterprise is painful, hard to sustain, which is why most organizations never start. To solve this, we developed an open-source tool built around a PowerShell module and YAML-based configuration files. The tool is vendor-agnostic, easy to deploy, and enterprise-grade, designed for production use from day one. It includes four key capabilities: YAML-driven SACL deployment (single or bulk), a verification mode to audit existing configurations, a generator that converts manually configured SACLs into YAML templates, and a CI/CD-ready linter to catch configuration errors before deployment. Our goal is to lower the barrier to entry and make SACL-based detection accessible to any organization willing to invest a few hours.
Attendees will leave with a concrete methodology to extend their detection coverage beyond EDR limitations, along with a production-ready tool they can deploy immediately.
