Skip to content

Defense Evasion

What is "Defense Evasion" ?

Defense Evasion is a category which stands for Adversarial Tactics, Techniques, and Common Knowledge. This category encompasses a variety of techniques that adversaries use to avoid detection throughout their compromise. Techniques under this category are specifically designed to circumvent security software, avoid logging mechanisms, mislead system users and administrators, and generally maintain the persistence of the malicious presence on a system without being detected.

How is "Defense Evasion" Achieved ?

  1. Obfuscation: Techniques such as encoding payloads in Base64 or using encryption to hide command and control traffic.
  2. Rootkits: Employing rootkits that interact directly with the operating system’s kernel components to mask malicious activity.
  3. Fileless Malware: Executing code directly from memory or leveraging PowerShell scripts which do not rely on traditional executable files thus avoiding triggering file-based detection mechanisms.
  4. Impair Defenses: Disabling security tools (antivirus software, firewalls) or tampering with their components (e.g., altering configuration files).
  5. Masquerading: Renaming executables or processes to mimic legitimate software components or using stolen digital certificates to sign malware.
  6. Deception: Altering timestamps or manipulating logs to obscure the presence of an attacker or the sequence of their actions.
  7. Privilege Escalation: Exploiting vulnerabilities that allow an adversary to gain higher-level permissions which can be used to disable or bypass security controls.

Where is "Defense Evasion" Implemented ?

Defense evasion techniques can be implemented across various layers of a computer system:

  • Operating System Level: Modifying system files and configurations, accessing low-level kernel structures.
  • Network Level: Engaging in activities like SSL/TLS encryption for exfiltrating data to mask traffic as normal HTTPS connections.
  • Application Level: Injecting malicious code into running processes where they might be less likely detected by antivirus systems.

Why Use "Defense Evasion" ?

The primary goal behind defense evasion is to maintain persistence within a target environment without being discovered. This allows adversaries:

  • To carry out further malicious activities such as data exfiltration, lateral movement, and establishment of backdoors.
  • To increase their foothold by installing additional payloads or tools which can assist in achieving their ultimate objectives (e.g., espionage, financial gain).
  • To minimize the risk of their operations being disrupted by cybersecurity defenses.

In summary, defense evasion techniques are critical for attackers aiming to operate covertly over extended periods within compromised environments. These methods are continually evolving as defenders enhance detection capabilities and as technology landscapes change. Understanding these techniques not only aids in better defending against them but also in designing systems that are resilient against such threats from the outset.