The MITRE ATT&CK Framework: Defense Evasion

This tactic has the most techniques of any of the other tactics discussed in the MITRE ATT&CK Framework so far. What I find interesting about these techniques is that they expose the tradecraft of the various threat actors behind malware attacks.

Another interesting piece of this tactic is some malware, such as ransomware, cares very little about Defensive Evasion. Their only goal is to execute once on a device and then be discovered as quickly as possible.

Some of the interesting techniques I have found are those which trick products like AV from inspecting them at all or bypass application whitelisting technologies. Extremely large files (Binary Padding) or abusing certificates (Code Signing, Install Root Certificate, Signed Binary Proxy Execution, Signed Script Proxy Execution) are techniques that can sneak by defenses. In fact, I wrote about one way to bypass AppLocker back in 2016.

Other techniques can be quite noisy with any level of monitoring of endpoints or logs.

For example, Disabling Security Tools, File Deletion and Modify Registry are all techniques which can be leveraged, but they allow ample opportunities for a defender to detect what is going on. Monitoring for change on the endpoints and gathering logs from critical systems will expose this abuse.

If you are not collecting log data from each endpoint to a central location, be wary of three of the techniques which are used heavily by many malware families. Indicator Blocking, Indicator Removal from Tools and Indicator Removal on Host are all dangerous without centralized logging.

A simple firewall update or disabling a service can prevent a tool from sending alerts or logs back up to its own centralized location. For whatever reason, Windows allows you to clear the event log completely, although thankfully it is (Read more...)