Exploitation for Defense Evasion

Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.

Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised.

Procedure Examples

Name Description
Adwind

Adwind 2020 variant exploited a spoofing vulnerability (CVE-2020-1464) in Windows which allowed to append a malicious JAR file to a clean MSI file signed from Microsoft or Google, without impacting or changing the digital signature.

Ratty

Ratty 2020 variant exploited a spoofing vulnerability (CVE-2020-1464) in Windows which allowed to append a malicious JAR file to a clean MSI file signed from Microsoft or Google, without impacting or changing the digital signature.

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Exploitation for defense evasion may happen shortly after the system has been compromised to prevent detection during later actions for for additional tools that may be brought in and used. Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution or evidence of Discovery.

Attachments

ID
VT0036
MITRE ID
Sub-techniques
No sub-techniques
Tactic
Defense Evasion
Platforms
Linux
Windows
macOS
Permissions Required
User
Data Sources
File monitoring
Process monitoring
Windows Error Reporting
Defense Bypassed
Anti-virus, System access controls
Version
1.1

Created: 09 May 2021

Last Modified: 09 May 2021