7. Defense Evasion
Defense Evasion (TA0005)
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts.
Strategy
- Blend In: Make your activity look like normal user behavior (Masquerading).
- Blind: Disable the sensors watching you (Impair Defenses).
- Hide: Run your code inside trusted processes (Injection).
Section Contents
-
Impair Defenses
Disabling, modifying, or blinding security tools and logging mechanisms.
-
Indicator Removal
Deleting logs and altering timestamps to hinder forensic analysis.
-
Masquerading
Manipulating artifacts to appear legitimate. RTLO, renaming utilities, and fake icons.
-
Obfuscated Files or Information
Hiding the true intent of files through encryption, packing, and steganography.
-
Process Injection
Running code inside the address space of another process.
