CTI Analysis: Hunting Defense Evasion & Lateral Movement (T1055, T1021)

Danger

Executive Summary: Once a threat actor establishes persistence, their objectives diverge into two parallel operational tracks: spreading across the network to locate the “Crown Jewels,” and blinding the Security Operations Center (SOC) to mask their presence. In the MITRE ATT&CK framework, this is the domain of Lateral Movement (TA0008) and the newly split evasion tactics (Stealth - TA0005 and Defense Impairment - TA0112). For DFIR analysts, hunting these phases requires pivoting from static disk artifacts to advanced memory forensics, network telemetry, and log tampering detection.

1. Blinding the SOC: Defense Impairment & Indicator Removal

Before moving laterally, sophisticated adversaries ensure their tracks are covered. With the release of ATT&CK v19 (April 2026), MITRE formally separated passive stealth from active sabotage.

A. Disable or Modify Tools (T1685)

(Formerly T1562 - Impair Defenses) Modern ransomware operators and APTs actively target Endpoint Detection and Response (EDR) agents. They utilize “Bring Your Own Vulnerable Driver” (BYOVD) attacks to gain kernel-level access and terminate EDR processes or blind their telemetry pipelines.

• DFIR Pivot: Analysts must monitor for the unexpected cessation of Sysmon Telemetry or sudden service termination events (Event ID 7036) affecting known security services.

B. Indicator Removal: Clear Windows Event Logs (T1070.001)

Erasing the flight recorder is the oldest trick in the anti-forensics playbook. Adversaries use wevtutil cl or PowerShell’s Clear-EventLog to wipe their execution history.

• The Telemetry: As detailed in our EVTX Analysis Guide, the act of clearing a log generates an indelible alert.
• Hunting Focus: Alert immediately on Security Event ID 1102 (The audit log was cleared) and System Event ID 104. If these events trigger outside of an authorized IT maintenance window, it is definitive proof of an active, highly privileged intrusion.

2. The Invisible Threat: Process Injection (T1055)

To evade process-based firewalls and application whitelisting (Stealth - TA0005), attackers avoid running custom binaries directly. Instead, they inject their malicious code into the memory space of a legitimate, running Windows process.

As explored in our comprehensive Process Injection Foundations, this technique fundamentally breaks traditional process lineage (Event 4688) monitoring.

Dynamic Resolution & Injection

Attackers use APIs like VirtualAllocEx and WriteProcessMemory to push their payload (e.g., a Cobalt Strike beacon) into processes like explorer.exe or svchost.exe. Hunting Focus: Monitor Sysmon Event ID 8 (CreateRemoteThread) and Sysmon Event ID 10 (ProcessAccess). Any non-system process opening a highly privileged handle to a core Windows binary is suspect.

Advanced Evasion (Next-Gen)

To bypass EDR API hooking, modern adversaries utilize Module Stomping and Memory Mirroring. DFIR Pivot: Live response memory forensics is required. Analysts must use Volatility 3 (e.g., the windows.malfind plugin) to locate executable memory pages (PAGE_EXECUTE_READWRITE) that are unbacked by files on disk.

3. Spreading the Infection: Remote Services (T1021)

Lateral Movement is the mechanism by which a localized breach escalates into a total domain compromise. Adversaries overwhelmingly prefer to “Live off the Land” by abusing native Windows remote administration protocols.

A. SMB/Windows Admin Shares (T1021.002)

Server Message Block (SMB) is the silent, scriptable weapon of choice. Threat actors leverage stolen credentials to access hidden administrative shares (C$, ADMIN$).

• The Execution: They use tools like PsExec or WMI to drop a payload and execute it remotely.
• The Telemetry: Hunt for Event 4624 (Logon Type 3 - Network) originating from workstation IPs rather than domain controllers. Correlate this with Event 5145 (Network Share Object Access) targeting the IPC$ share, which reveals the usage of Named Pipes for C2 communication.

B. Remote Desktop Protocol (T1021.001)

When adversaries require graphical interaction (e.g., to manually disable an antivirus GUI or interact with a complex business application), they pivot to RDP.

• The Telemetry: As outlined in our SMB vs. RDP Playbook, RDP leaves loud, highly visible traces. Analysts must hunt for Event 4624 (Logon Type 10 - RemoteInteractive).
• DFIR Pivot: For a comprehensive timeline, investigate the Remote Desktop Services (RDS) Operational Logs (Events 21, 24, 25) to determine exactly when the attacker connected, disconnected, and reconnected to the hijacked session.

4. Detection Engineering (Actionable Queries)

Deploy the following queries in your SIEM to proactively hunt for the destruction of forensic evidence and the primary vectors of lateral movement.

KQL (Indicator Removal)

hunt_t1070_log_wiping.kql

// Mitre ATT&CK: T1070.001 (Clear Windows Event Logs)
// Detects the deletion of critical Windows event logs, a massive anti-forensic red flag.
SecurityEvent
| where EventID == 1102 or EventID == 104
| project TimeGenerated, Computer, Account, EventID, Activity
// Join with Process Creation to see what ran immediately prior to the wipe
| join kind=leftouter (
    SecurityEvent
    | where EventID == 4688
    | project ProcessTime = TimeGenerated, Computer, Account, ProcessCommandLine
) on Computer, Account
| where ProcessTime between ((TimeGenerated - 5m) .. TimeGenerated)
| sort by TimeGenerated desc

Sigma (RDP Lateral Movement)

sigma_t1021_rdp_lateral_movement.yaml

title: Internal RDP Lateral Movement (Logon Type 10)
id: 3c4d5e6f-7a8b-9c0d-1e2f-3a4b5c6d7e8f
status: stable
description: Detects successful Remote Desktop (RDP) logons originating from internal workstation IP ranges, highly indicative of lateral movement.
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 10
        # Target administrative or service accounts
        TargetUserName|contains|any:
            - 'admin'
            - 'svc_'
    filter_external:
        # Focus purely on internal-to-internal lateral movement
        IpAddress|startswith:
            - '10.'
            - '172.16.'
            - '192.168.'
    # Filter out expected IT admin jump boxes
    filter_authorized_jumpbox:
        IpAddress: '10.0.50.100'
    condition: selection and filter_internal and not filter_authorized_jumpbox
level: high
tags:
    - attack.lateral_movement
    - attack.t1021.001

5. Conclusion

Hunting for Defense Evasion and Lateral Movement requires an analyst to shift from looking at what is executing to how the environment is behaving. A single cleared log file, a sudden spike in SMB traffic to the ADMIN$ share, or an unbacked executable memory page are the silent alarms of a network under active siege.

By combining the methodologies detailed across this MITRE ATT&CK series—from Initial Access and Persistence to Lateral Movement—DFIR teams can construct a comprehensive, interlocking web of detection that traps adversaries at every stage of their operation.

---

Sources & References

• MITRE ATT&CK: Defense Evasion (TA0005) & Defense Impairment (TA0112)
• MITRE ATT&CK: Lateral Movement (TA0008)
• Related Analysis: Decoding the MITRE ATT&CK v19 Update
• Related Playbook: Lateral Movement: SMB vs. RDP