The Mitre Att&ck Matrix’s most complex technique is Defense Evasion. Mitre has defined a whopping 42 sub-techniques to cover the Defense Evasion technique!
Abuse Elevation Control Mechanism is when a threat actor utilizes a flaw in a mechanism such as sudo to elevate permissions to get around restrictions.
Access Token Manipulation is when a threat actor steals an access token from an app running as a different user or a different user altogether.
BITS Jobs threat actors can abuse BITS jobs to get around defenses to achieve their objectives.
Build Image on Host is when a threat actor creates a container to get around defensive restrictions. Docker and Kubernetes are popular container computing services. The idea is that utilizing a container would bypass security checks.
Debugger Evasion is when a threat actor uses malware that can detect when it is being debugged and deploy defensive measures to hide what is going on in the hopes that a security analyst/software determines the malware to be legitimate when it is not.
Deobfuscate/Decode Files Or Information is when a threat actor has their malware encoded/obfuscated, then utilize a system utility to decode/deobfuscate to bypass security checks. Using certutil is a popular method in the windows world.
Deploy Container is when a threat actor deploys a preconfigured container. Typically, this would be Kubernetes or docker to get around security measures.
Direct Volume Access is when a threat actor uses a utility that directly accesses a volume that can bypass ACLs. NinjaCopy is such a utility.
Domain Policy Modification is when a threat actor gains access to the domain’s gpo to modify the group policy to remove some security controls that would have otherwise stopped a threat actor in his tracks.
Execution Guardrails are when a threat actor is aware of certain execution restrictions that could trip alarms and develops a payload that avoids such triggers to decrease the chances of being caught.
Exploitation for Defense Evasion is when the threat actor utilizes a vulnerability to achieve remote code execution. The code would run as a specific user. As a result, system defenses get evaded.
File and Directory Permissions Modification is when a threat actor utilizes a vulnerability or misconfigured access to change the permissions of a file or directory, granting access to files that would otherwise be inaccessible.
Hide Artifacts are when a threat actor knows what indicators of compromise were created and proceeds to hide them, so a system analyst will have a hard time finding out how the threat actor got in.
Hijack Execution Flow is when a threat actor utilizes a flaw in how processes to launch to trick the Operating System into launching a back door application instead. Not wrapping a path in Quotes when folders contain a space makes you vulnerable. One example is the path, C:\Windows Vulnerability\legit.exe instead of “C:\Windows Vulnerability\legit.exe”, which would allow C:\Windows\exploit.exe to run instead. As you may have noticed, this can be for defense evasion. You may have guessed from a previous post.
Impair Defenses are when a threat actor disables security measures such as antivirus to prevent malicious activity from being detected.
Indicator Removal is when a threat actor removes indicators of compromise instead of just hiding them.
Indirect Command Execution is when a threat actor can utilize an application to run commands for them.
Masquerading is when a threat actor makes something look like it was something else to avoid detection. It is easier to get through security if you can make them think they see something harmless when it is actually malicious.
Modify Authentication Process is when a threat actor modifies an authentication system to allow unauthorized users access.
Modify Cloud Compute Infrastructure is when a threat actor modifies a cloud computing asset such as a vm, snapshots, or compute instances to evade detection.
Modify Registry is when a threat actor modifies a system registry to disable security, hide exploits, and set automatic persistence. Threat actors can also prepend their entries with null characters to inhibit popular registry editor software from being able to see what the threat actor has changed.
Modify System Image is when a threat actor modifies an embedded system (IoT, Smartphones, etc.) to gain access to a system or network. If a threat actor can utilize a known device, it could slip through security software.
Network Boundary Bridging is when a threat actor infiltrates network equipment and sets up routes to gain easier access along network segments to get around configurations that would, under normal conditions, prohibit one network segment from reaching another.
Obfuscated files or information is when a threat actor obfuscates code on an exploit to get around security software scanning based on signatures. This technique makes it more challenging for a security analyst properly analyze the malware involved.
plist file modification is when a threat actor modifies a property list file to enable malicious activity or evade system defenses.
Pre-os Boot is when a threat actor infects a boot record or bios/uefi image to embed a rootkit that can hide malware and override system functions to avoid detection.
Process Injection is when a threat actor abuses a buffer overflow to trigger code execution. They do this in Defense Evasion to bypass system defenses. A marked trusted application may have exceptions made and will not be touched.
Reflective Code Loading is very similar to process injection. Only we are loading the payload into the memory of the app itself in memory before tricking the app into executing the payload.
Rogue Domain Controller is when a threat actor compromises a domain controller and configures it to allow activities that should have gotten blocked.
Rootkit is when a threat actor installs malware that overrides operating system functions to mimic normal functions while hiding the presence of its malware and allowing whatever it was programmed to do.
Subvert Trust Controls is when a threat actor finds and exploits a way to avoid a system that warn users that an action needs authorization or that if they proceed, an app could do something harmful. Getting around Windows User Access Control is an example of this.
System Binary Proxy execution is when a threat actor utilizes a trusted program to execute an untrusted program to get around system restrictions. Lazarus Group abused the windows update client to launch malware.
System Script Proxy Execution, like System Binary Execution, is when a threat actor utilizes a trusted script to execute malware.
Template Injection is when a threat actor creates or modifies a document template to conceal malicious code or force authentication attempts. The file may not contain a payload but could be modified to automatically retrieve and execute a malicious payload whenever the template opens.
Traffic signaling is when a threat actor hides a back door by setting it up to open only when a preconfigured set of ports get pinged in a specific order.
Trusted Developer Utilities Proxy Execution is when a threat actor utilizes installed development tools to make a payload look more legit. If they sign a malicious payload using developer tools on the target system, their security system may see it as legit and not even scan it.
Unused/Unsupported Cloud Regions is when a threat actor compromises a cloud account and sets up new services in a region the target organization is not using in the hopes that the organization fails to detect its presence.
Use Alternate authentication material is when a threat actor forces a system to use a weaker authentication system that may be in use for legacy equipment to exploit the weakened security to pull off a pass the hash attack or similar to be able to move laterally throughout the network.
Valid Accounts are when a threat actor utilizes a known user to hide their actions. It would be harder to prove that someone from finance is accessing a ledger aside from that it may have been from after-hours or a different location.
Virtualization/sandbox evasion is when a threat actor utilizes code to detect if it is operating within a VM or Sandbox. If the malware discovers it is running in a VM or Sandbox, then steps are taken to hide what it is doing or even find a way to escape the environment before executing the payload.
Weaken Encryption. is when a threat actor forces a system to use a weaker set of encryption standards, making it easier to break the Encryption. Once broken, data is free to get exfiltrated in a manner that could be hard to catch. Security software rarely covers data in transit, and if a threat actor taps into a network, data can get exfiltrated without anyone knowing.
XSL Script Processing is when a threat actor modifies xsl files to obscure code execution by embedding scripts into xsl files. This technique could cause an XML interpreter to execute code.