Exploitation for Defense Evasion
Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.
Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised.
Adwind 2020 variant exploited a spoofing vulnerability (CVE-2020-1464) in Windows which allowed to append a malicious JAR file to a clean MSI file signed from Microsoft or Google, without impacting or changing the digital signature.
Ratty 2020 variant exploited a spoofing vulnerability (CVE-2020-1464) in Windows which allowed to append a malicious JAR file to a clean MSI file signed from Microsoft or Google, without impacting or changing the digital signature.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Exploitation for defense evasion may happen shortly after the system has been compromised to prevent detection during later actions for for additional tools that may be brought in and used. Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution or evidence of Discovery.
Created: 09 May 2021
Last Modified: 09 May 2021