Detecting EDR Evasion with Corelight Open NDR

This video walks through how Corelight Open NDR helps security teams detect EDR evasion by delivering complete visibility across all network assets. Using a real-world scenario, the video demonstrates how anomaly detection uncovers suspicious activity, mapping events directly to MITRE ATT&CK techniques. The investigation process highlights the detection of an anomalous user agent, which ultimately reveals a Linux privilege escalation toolkit. Through detailed network traffic analysis and automatic plain English descriptions, Corelight exposes how an attacker exploited a network appliance that is not able to be protected by an EDR agent. The walkthrough ends by emphasizing how Corelight Open NDR empowers teams to identify and eliminate hidden attackers in their environment.

00:00 Introduction to EDR Evasion

00:16 Starting the Shift: Initial Detection

00:28 Analyzing the Anomaly

00:56 Investigating the Source and Destination

01:39 Suspicious Activity and High Severity Detection

02:02 Understanding the Exploit

03:09 Conclusion, Comprehensive Visibility with Corelight