Defense Evasion
What is Defense Evasion?
Defense EvasionThe MITRE ATT&CK tactic (TA0005) covering techniques attackers use to avoid detection, disable security tools, and hide their activity on a target system.
Defense Evasion (MITRE ATT&CK tactic TA0005) groups techniques designed to bypass, blind, or fool security controls. It is one of the largest tactics in the matrix and includes obfuscated and encrypted payloads, process injection, DLL side-loading, signed-binary proxy execution (LOLBins), disabling or uninstalling EDR/AV, clearing event logs, masquerading as legitimate processes, abusing trusted directories, and using rootkits or BYOVD (Bring Your Own Vulnerable Driver) attacks. Defense Evasion is often interleaved with other tactics throughout an intrusion. Defenders counter it with kernel-level telemetry, EDR tamper protection, immutable logging, signed-binary inventory monitoring, and behavioural detections that look at intent and chains of activity rather than individual signatures.
● Examples
- 01
Bringing a vulnerable signed driver to disable an EDR agent in kernel mode.
- 02
Renaming a malicious executable to svchost.exe and placing it in C:\Windows\.
● Frequently asked questions
What is Defense Evasion?
The MITRE ATT&CK tactic (TA0005) covering techniques attackers use to avoid detection, disable security tools, and hide their activity on a target system. It belongs to the Defense & Operations category of cybersecurity.
What does Defense Evasion mean?
The MITRE ATT&CK tactic (TA0005) covering techniques attackers use to avoid detection, disable security tools, and hide their activity on a target system.
How does Defense Evasion work?
Defense Evasion (MITRE ATT&CK tactic TA0005) groups techniques designed to bypass, blind, or fool security controls. It is one of the largest tactics in the matrix and includes obfuscated and encrypted payloads, process injection, DLL side-loading, signed-binary proxy execution (LOLBins), disabling or uninstalling EDR/AV, clearing event logs, masquerading as legitimate processes, abusing trusted directories, and using rootkits or BYOVD (Bring Your Own Vulnerable Driver) attacks. Defense Evasion is often interleaved with other tactics throughout an intrusion. Defenders counter it with kernel-level telemetry, EDR tamper protection, immutable logging, signed-binary inventory monitoring, and behavioural detections that look at intent and chains of activity rather than individual signatures.
How do you defend against Defense Evasion?
Defences for Defense Evasion typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Defense Evasion?
Common alternative names include: Defence Evasion, TA0005.
● Related terms
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- defense-ops№ 371
EDR (Endpoint Detection and Response)
An endpoint security technology that continuously records process, file, registry and network activity to detect, investigate and respond to threats on hosts.
- malware№ 949
Rootkit
Stealth malware that grants and hides privileged access to an operating system or device, evading detection by standard tools.
- malware№ 417
Fileless Malware
Malware that runs primarily in memory and leverages trusted system tools, avoiding the use of traditional executable files on disk.
- forensics-ir№ 049
Anti-Forensics
Techniques used by attackers or privacy-conscious actors to obstruct, delay, or defeat digital forensic investigations.
- defense-ops№ 265
Cyber Kill Chain
Lockheed Martin's seven-stage model that describes how a targeted intrusion progresses from reconnaissance to actions on objectives.
● See also
- № 397Execution (MITRE Tactic)
- № 817Persistence
- № 616Living off the Land
- № 632LOLBin / LOLBAS
- № 332DLL Injection
- № 862Process Injection
- № 045AMSI Bypass
- № 055Application Allowlisting (Whitelisting)