DFIR Global

The MITRE ATT&CK Defense Evasion (TA0005) tactic outlines methods adversaries use to avoid detection and security measures during a cyberattack. These include techniques like disabling or modifying security tools, hiding malicious code within legitimate processes, obfuscating commands, and clearing logs. The goal is to bypass antivirus, firewalls, and intrusion detection systems, ensuring that the attacker can operate undetected within the network and prolong their access.

For more detailed information, visit the MITRE ATT&CK Defense Evasion page.

Key Techniques:

1. Disabling Security Tools: Attackers may tamper with or disable security software like antivirus, intrusion detection systems (IDS), or firewalls. This is often done by stopping services, modifying settings, or uninstalling the tools altogether to prevent detection and block alerts.
2. Obfuscating Files or Information: Obfuscation techniques hide the true nature of malicious scripts, files, or executables to avoid detection. Attackers may encrypt, compress, or encode their malware to evade security scanning systems that look for known signatures.
3. Masquerading: Adversaries may disguise malicious executables or code as legitimate files or processes, using trusted names, paths, or certificates to appear benign. This makes it harder for defenders to detect malicious activity.
4. Code Signing: Attackers may use legitimate code-signing certificates to sign their malicious software, making it appear as though it comes from a trusted source. This technique is especially effective in bypassing software restrictions and gaining trust from security tools.
5. Timestomping: Timestomping involves manipulating file timestamps (such as creation, modification, and access times) to make malicious files blend in with legitimate system files, complicating forensic investigations.
6. Process Injection: By injecting malicious code into legitimate processes, adversaries can hide their activities and make detection more difficult. This allows them to run malicious payloads under the guise of trusted system applications.
7. Clearing Logs: Attackers may delete or alter system logs to erase evidence of their activities. By removing records of their presence, adversaries can cover their tracks and prolong the time they remain undetected in the system.
8. Exploiting Trusted Processes: Adversaries may abuse legitimate system processes (e.g., explorer.exe on Windows) to execute malicious code. Using these processes, attackers can bypass security tools that may otherwise flag new or unknown executables.

Mitigation Strategies:

1. Endpoint Detection and Response (EDR): Use advanced EDR tools that can detect abnormal behavior, such as changes to processes or unusual script execution, even if traditional antivirus systems are bypassed.
2. Application Whitelisting: Restrict systems to run only approved applications, which can help prevent execution of unauthorized or malicious programs.
3. Continuous Monitoring: Implement real-time monitoring of critical system components, such as security tools, processes, and logs, to detect tampering or suspicious changes.
4. Log Retention and Integrity: Store logs in a secure, centralized location with strong access controls to prevent deletion or manipulation by attackers. Ensure long-term retention of log data for forensic analysis.
5. File Integrity Monitoring: Use tools that detect changes in critical system files and configurations to alert defenders to potential tampering attempts by adversaries.

By deploying these strategies, organizations can reduce the likelihood of successful defense evasion tactics and improve their overall security posture.

For more information, visit the full MITRE ATT&CK Defense Evasion page.