Welcome back to our threat hunting series with Corelight and CrowdStrike. In our previous posts, we armed you with techniques to spot adversaries during Initial Access and how they establish Persistence to maintain their foothold. Now, we're diving into the shadowy dance of Defense Evasion and Lateral Movement.
A successful heist isn't just about breaking in. It's about moving undetected through the building from the lobby to the vault. In the digital world, attackers don't just breach the perimeter… they skillfully evade your security controls to move deeper into your network. These two tactics—evasion and movement—are intrinsically linked. An attacker’s ability to move laterally is almost always dependent on their ability to evade detection.
In this post, we'll explore how you can use Corelight’s rich network telemetry within CrowdStrike’s Next-Gen SIEM to expose these clever adversaries. By understanding how attackers hide, you can better detect and predict their next move.
A quick note for those following the series: while our previous posts highlighted CrowdStrike Falcon LogScale, the queries and concepts here are equally powerful when used within CrowdStrike's Next-Gen SIEM. And for those who want to dive deeper and experiment with these and other threat hunting techniques, you can download our Threat Hunting Guide for CrowdStrike. Feel free to also explore the power of Corelight’s predefined queries, real data, and diverse sample event types with the Corelight Sample Data for Falcon, which is available in the CrowdStrike Marketplace. Keep in mind that this sample data also works with the LogScale Community Edition, so you can play around with it anywhere and anytime.
OK, so let’s get on with it! In the lexicon of the MITRE ATT&CK framework, Defense Evasion is a collection of techniques adversaries use to remain invisible within your network. They often do this by disguising themselves in malicious tools, hiding in legitimate traffic, or manipulating trusted system processes. Your job as a hunter is to look past the disguise and recognize the intent. Let's look at a couple of clever techniques from our Corelight for CrowdStrike Threat Hunting Guide that are classic evasion plays.
Microsoft's Background Intelligent Transfer Service (BITS) is a legitimate Windows service used for file transfers, most notably for system updates. Because it's a trusted process, its traffic often sails past basic security filters. Attackers are aware of this and exploit BITS to download malicious payloads or exfiltrate sensitive data.
When BITS uses HTTP, it leaves a distinct User-Agent string (e.g., "Microsoft BITS/7.8"). Hunting for this in your Corelight http logs within CrowdStrike Next-Gen SIEM is a great starting point.
How to hunt:
Finding an attacker using BITS is like catching someone using an office snack cart to sneak stolen goods out of the building, where the vehicle is legitimate, but its use is anything but.
Another clever evasion technique is the installation of a malicious root certificate. This allows an attacker to bypass the trust validation procedure of a legitimate root certificate and establish malicious secure communications by making their certificates appear trustworthy. With a rogue root certificate installed on a compromised host, the attacker's servers appear legitimate as their encrypted traffic evades inspection.
Corelight's ssl and x509 logs are your best friends here. They give you deep visibility into every TLS/SSL session, even if you can't see the payload.
How to hunt:
ssl log, filter for connections where the validation_status is not "ok." Pay special attention to self-signed certificates.ssl log to the conn log. Is this a long-lived connection? Is it transferring an unusual amount of data? These additional clues can help you identify a malicious C2 channel that may be hiding in plain sight.Once an attacker has established a foothold with methods to evade your defenses, their next logical step is to move laterally to access even more valuable systems. Let's look at how evasion tactics directly enable some of the common lateral movement techniques.
RDP is a go-to tool for attackers moving within a Windows environment. It gives them full graphical control of a remote machine. While legitimate RDP use is common, anomalous patterns can uncover an attacker's presence.
An attacker might use a technique like Port Knocking to open the RDP port (TCP/3389) on a target machine only when they send a specific, secret sequence of connection attempts. Once the "knock" is received, the port opens, and the attacker can move in. To a casual observer, the RDP port appears closed, evading simple network scans.
How to hunt:
conn log in CrowdStrike Next-Gen SIEM to look for strange connection sequences. A series of failed or rejected connections (conn_state S0 or REJ) from one host to another, immediately followed by a successful RDP connection, could be the tell-tale sign of port knocking.rdp log, look for unusual keyboard layouts (e.g., a Russian keyboard layout in a US-only environment) or multiple failed login attempts from the same source IP. Also, monitor the cookie field to track distinct user sessions across multiple connections.Windows systems have hidden network shares, like C$ and ADMIN$, that are accessible only to administrators and provide the ability for remote file copying and other administrative functions. These hidden shares are primary targets for attackers looking to copy malware to other systems or steal sensitive files.
Once inside your network, attackers can easily impersonate legitimate administrators to authenticate to these hidden shares, allowing them to copy malware and extract sensitive files covertly as they move across the network.
How to hunt:
smb_mapping and smb_files logs provide granular details on who is accessing what. In CrowdStrike Next-Gen SIEM, you can search for access to paths containing C$, ADMIN$, or IPC$ that originate from non-administrative workstations.A recent and sobering example of defense evasion paired with lateral movement comes from the Akira ransomware campaign, a global assault that so far has netted hundreds of victims by chaining tried-and-true tactics in new and innovative ways. It works because Akira’s operators exploit internet-facing network system vulnerabilities to gain initial access, which CrowdStrike and other research teams admit is happening much more often. However, their real effectiveness stems from well-executed evasion and rapid internal movement. For instance, once inside, they harvest credentials (notably through Kerberoasting attacks) and reuse valid accounts to quietly disable security controls. Leveraging tools like AnyDesk and WinRM, Akira’s affiliates move laterally, jumping between systems, blending in with legitimate traffic, and evading endpoint defenses. Their breakout times clocked in at under 90 minutes in some cases, far outpacing traditional response workflows.
This attack pattern, while sophisticated, aligns closely with what Corelight is designed to detect. By analyzing east-west traffic, highlighting spikes in Kerberos ticket activity, identifying anomalies in TLS handshakes, and correlating the evasion and lateral movement signals we outline in our Threat Hunting Guide, Corelight provides the network ground truth that exposes adversaries—not just after the fact, but as events unfold. In fact, our customers love us for helping them spot lateral movement activity early and uncover threats before they become headline news. If the organizations targeted by Akira had this level of ground-truth visibility, their outcomes might have looked very different.
Threat hunting isn't about finding a single indicator of compromise– it's about understanding the attacker's playbook. Defense Evasion and Lateral Movement are two sides of the same coin. By hunting for the subtle ways attackers hide, you become far more effective at detecting their movements across your network. Corelight’s deep integration across the CrowdStrike Falcon platform provides threat hunters with a unique advantage, combining ground-truth network evidence with the high-speed search capabilities of an AI-native SIEM platform.
Leveraging Charlotte AI can further empower threat hunting by translating natural language questions directly into the CrowdStrike Query Language (LQL) needed to search rich, comprehensive Corelight logs. This enables teams to detect and respond to even the most elusive threats with speed and precision.
We’ve only covered a sample of the common hunting techniques attackers are finding success with. If you want to go deeper, I encourage you to download our comprehensive Corelight Threat Hunting Guide for CrowdStrike, which provides the evidence-based strategies you need to turn knowledge into action. Remember, adversaries are constantly refining their tactics, but with the right visibility, a proactive mindset, and a little practice, you can stay a step or two ahead of them.