Defense Evasion has the most techniques of any of the other tactics discussed in the MITRE ATT&CK Framework so far. What I find interesting about these techniques is that they expose the tradecraft of the various threat actors behind malware attacks.
Another interesting piece of this tactic is some malware, such as ransomware, cares very little about Defense Evasion. Their only goal is to execute once on a device and then be discovered as quickly as possible.
Some of the interesting techniques I have found are those which trick products like AV from inspecting them at all or bypass application whitelisting technologies. Extremely large files (Binary Padding) or abusing certificates (Code Signing, Install Root Certificate, Signed Binary Proxy Execution, Signed Script Proxy Execution) are techniques that can sneak by defenses. In fact, I wrote about one way to bypass AppLocker back in 2016.
Other techniques can be quite noisy with any level of monitoring of endpoints or logs.
For example, Disabling Security Tools, File Deletion and Modify Registry are all techniques which can be leveraged, but they allow ample opportunities for a defender to detect what is going on. Monitoring for change on the endpoints and gathering logs from critical systems will expose this abuse.
If you are not collecting log data from each endpoint to a central location, be wary of three of the techniques which are used heavily by many malware families. Indicator Blocking, Indicator Removal from Tools and Indicator Removal on Host are all dangerous without centralized logging.
A simple firewall update or disabling a service can prevent a tool from sending alerts or logs back up to its own centralized location. For whatever reason, Windows allows you to clear the event log completely, although thankfully it is all or nothing and leaves behind evidence that someone did so. If a system is critical to your business operations, get the log data off of it to a centralized location.
While there are a lot of techniques to sit and parse through to anyone just starting out, the ability to either mitigate or detect abuse of the various techniques should be attainable. Take the time to address each of these techniques. If your proverbial moat around the castle is a mile wide, it will be of no use if it is only an inch deep.
Keep your defenses strong and deep, so an attacker can’t walk right through them.
There is also a mapping of CIS controls to the ATT&CK framework available. This can be helpful if you’re already adopting the CIS Controls and are starting down the path of adopting ATT&CK.
Read more about the MITRE ATT&CK Framework here:
- The MITRE ATT&CK Framework: Initial Access
- The MITRE ATT&CK Framework: Execution
- The MITRE ATT&CK Framework: Persistence
- The MITRE ATT&CK Framework: Privilege Escalation
- The MITRE ATT&CK Framework: Defense Evasion
- The MITRE ATT&CK Framework: Credential Access
- The MITRE ATT&CK Framework: Discovery
- The MITRE ATT&CK Framework: Lateral Movement
- The MITRE ATT&CK Framework: Collection
- The MITRE ATT&CK Framework: Exfiltration
- The MITRE ATT&CK Framework: Command and Control
- The MITRE ATT&CK Framework: Impact