ICS Evasion consists of techniques adversaries use to avoid detection by security mechanisms within ICS environments. These include changing device operating modes to bypass monitoring, removing indicators of compromise from hosts, masquerading malicious processes as legitimate ones, deploying rootkits, and spoofing reporting messages to deceive operators and security tools.
Tactic Overview
Tactic ID: TA0103 — Matrix: ICS — Techniques: 7
The Evasion tactic represents a phase in the adversary lifecycle where the adversary is trying to avoid security defenses. This tactic is part of the MITRE ATT&CK ICS matrix and encompasses 7 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (7)
The following techniques are categorized under the Evasion tactic in the MITRE ATT&CK ICS matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T0858 | Change Operating Mode | Adversaries change the operating mode of PLCs or controllers to enable unauthorized program modifications or bypass protections. | T0858 |
T0820 | Exploitation for Evasion | Adversaries exploit vulnerabilities in ICS security tools to evade detection and monitoring. | T0820 |
T0872 | Indicator Removal on Host | Adversaries remove indicators of compromise from ICS hosts to avoid detection by security monitoring. | T0872 |
T0849 | Masquerading | Adversaries rename malicious files and processes to match legitimate ICS software to avoid detection. | T0849 |
T0851 | Rootkit | Adversaries deploy rootkits on ICS hosts to hide malicious processes and maintain persistent covert access. | T0851 |
T0856 | Spoof Reporting Message | Adversaries spoof reporting messages from controllers to deceive operators about the actual state of physical processes. | T0856 |
T0894 | System Binary Proxy Execution | Adversaries use trusted system binaries on ICS workstations to proxy execution of malicious code. | T0894 |
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- ICS-specific intrusion detection
- Process anomaly detection
- File integrity monitoring
- Network traffic analysis
- Security information and event management (SIEM)
Detection Strategies
Effective detection of Evasion techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Evasion tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Evasion Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026