Defense Evasion
Techniques
| ID | Name | Description |
|---|---|---|
| EST000069 | Binary Padding | A Cyber Embedded Technique in which an adversary uses binary padding to add junk data and change the on-disk representation of malware without affecting the functionality or behavior of the binary. This will often increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blacklists and static anti-virus signatures. The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware. Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed. |
| EST000070 | Code Signing | A Cyber Embedded Technique in which an adversary uses code signing certificates to masquerade malware and tools as legitimate binaries. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, forged, or stolen by the adversary. Code signing certificates may be used to bypass security policies that require signed code to execute on a system. |
| EST000071 | Compile After Delivery | A Cyber Embedded Technique in which an adversary attempts to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar to Obfuscated Files or Information, text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically, via native utilities such as csc.exe or GCC/MinGW. Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Spearphishing Attachment. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework. |
| EST000072 | Component Firmware | A Cyber Embedded Technique in which an adversary employs sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components that may not have the same capability or level of integrity checking. Malicious device firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks. |
| EST000073 | Evasive Connection Proxy | A Cyber Embedded Technique in which an adversary uses a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. External connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the internet and then the proxy would forward communications to the C2 server. Internal connection proxies can be used to consolidate internal connections from compromised systems. Adversaries may use a compromised internal system as a proxy in order to conceal the true destination of C2 traffic. The proxy can redirect traffic from compromised systems inside the network to an external C2 server making discovery of malicious traffic difficult. Additionally, the network can be used to relay information from one system to another in order to avoid broadcasting traffic to all systems. |
| EST000074 | Deobfuscate Files or Information | A Cyber Embedded Technique in which an adversary decodes a payload hidden in obfuscated files or information. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting, PowerShell, or by using utilities present on the system. One such example is use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file. Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used with Obfuscated Files or Information during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. Adversaries may also used compressed or archived scripts, such as Javascript. |
| EST000075 | Disabling Security Tools | A Cyber Embedded Technique in which an adversary disables security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting. |
| EST000076 | Execution Guardrails | A Cyber Embedded Technique in which an adversary uses guardrails and environmental keying to help protect their TTPs and evade detection. In a ebedded system an adversary may use execution guardrails to not execute certain malware in a SIL/maintenance environment in order to evade detection but may execute malware once it has been loaded onto the embedded system and the embedded system is operational. Execution guardrails constrain execution or actions based on adversary supplied environment specific details. The goal for the adversary is to only execute payloads when there an operational value to be gained. |
| EST000077 | Exploitation for Defense Evasion | A Cyber Embedded Technique in which an adversary exploits defensive software to avoid detection. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them. Adversaries may have prior knowledge through reconnaissance that security software exists within an environment, or they may perform checks during or shortly after the system is compromised for Security Software Discovery. The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection. |
| EST000078 | File Deletion | A Cyber Embedded Technique in which an adversary removes files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. |
| EST000079 | Indicator Blocking | A Cyber Embedded Technique in which an adversary attempts to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting or even disabling host-based sensors, such as Event Tracing for Windows (ETW), by tampering settings that control the collection and flow of event telemetry. These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as PowerShell or Windows Management Instrumentation. ETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell Set-EtwTraceProvider cmdlet or by interfacing directly with the registry to make alterations. In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products. |
| EST000080 | Indicator Removal from Tools | A Cyber Embedded Technique in which an adversary determines why a malicious tool was detected (the indicator), modify the tool by removing the indicator, and use the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems. A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may use Software Packing or otherwise modify the file so it has a different signature, and then re-use the malware. |
| EST000081 | Indicator Removal on Host | A Cyber Embedded Technique in which an adversary deletes or alters generated artifacts on a host system, including logs and potentially captured files such as quarantined malware. Locations and format of logs will vary, but typical organic system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/* . Actions that interfere with eventing and other notifications that can be used to detect intrusion activity may compromise the integrity of security solutions, causing events to go unreported. They may also make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred. |
| EST000082 | Install Root Certificate | A Cyber Embedded Technique in which an adversary installs a malicious root certificate to avoid "not trusted error messages." Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. Installation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary-controlled web servers that spoof legitimate websites in order to collect login credentials. |
| EST000083 | Subsytem Masquerading | A Cyber Embedded Technique in which an adversary masquerades as a legitimate subsystem on a communication bus to perform unauthorized operations. This involves mimicking the identity, communication protocols, and behavior of a trusted component to gain access to sensitive data, control other devices, or disrupt system functionality. The adversary might achieve this by spoofing the subsystem's unique identifier on the bus, replicating its communication patterns, or exploiting vulnerabilities in authentication mechanisms. By successfully masquerading as a trusted subsystem, the adversary can bypass security checks and operate undetected within the embedded platform. This technique is distinct from Logical Masquerading (EST000085), which involves an adversary impersonating an LRU within a subsystem. Previously named: Masquerading |
| EST000084 | Process Masquerading | A Cyber Embedded Technique in which an adversary masquerades a malicious process as a legitimate executable process to evade defenses and monitoring. Within an LRU or other embedded system, process masquerading occurs when a malicious process is disguised to appear as a trusted or system-critical process. This can be achieved by renaming the executable, modifying its metadata, placing it in a trusted directory, or mimicking the command-line arguments and parent process of a legitimate process. By successfully masquerading as a legitimate process, the adversary can bypass security checks, avoid detection by monitoring tools, and maintain persistence within the system. This technique is distinct from Subsystem Masquerading (EST000083), which involves an adversary impersonating an entire subsystem within a platform and Logical Masquerading (EST000085), which involves an adversary impersonating an LRU within a subsystem. Previously named: Evasive Process Masquerading |
| EST000085 | Bus Communication Masquerading | A Cyber Embedded Technique in which an adversary masquerades their malicious communications amongst legitimate communications within a subsystem bus. This involves mimicking the protocols, timing, and addressing schemes of trusted devices to blend in with normal bus activity and avoid detection. Due to protocol limitations, some serial buses lack built-in authentication, and some protocols allow any device to transmit at any time. This enables the adversary to inject malicious commands, exfiltrate data, or disrupt system functionality while appearing to be a legitimate participant on the bus. The adversary might achieve this by spoofing device identifiers, replicating message formats, or exploiting vulnerabilities in bus communication protocols. This technique is distinct from Subsystem Masquerading (EST000083), which involves an adversary impersonating an entire subsystem within a platform. Previously named: Logical Masquerading |
| EST000086 | Obfuscated Files or Information | A Cyber Embedded Technique in which an adversary makes an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. Adversaries may also use compressed or archived scripts, such as Javascript. Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. Adversaries may also obfuscate commands executed from payloads or directly via a Command-Line Interface. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature-based detections and whitelisting mechanisms. Another example of obfuscation is through the use of steganography, a technique of hiding messages or code in images, audio tracks, video clips, or text files. One of the first known and reported adversaries that used steganography activity surrounding Invoke-PSImage. The Duqu malware encrypted the gathered information from a victim's system and hid it into an image followed by exfiltrating the image to a C2 server. By the end of 2017, an adversary group used Invoke-PSImage to hide PowerShell commands in an image file (png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary. |
| EST000087 | Port Knocking | A Cyber Embedded Technique in which an adversary evades defenses by evading being detected in test environments. On some serial bus protocols there is a concept of a “port.”. It would be possible for an adversary to create malware that opens and responds on one adressable detail only after receiving the correct information on a different addressable detail. Detecting Port Knocking would require knowledge of “usual traffic” and monitoring the specific network. |
| EST000088 | Process Hollowing | A Cyber Embedded Technique in which an adversary executes arbitary code in the address space of a separate live process. Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to Process Injection, execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis |
| EST000089 | Process Injection | A Cyber Embedded Technique in which an adversary executes arbitary code in the address space of a separate live process. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. |
| EST000090 | Redundant Evasive Access Points | A Cyber Embedded Technique in which an adversary uses more than one initial access vector and persistence technique to maintain and re-access the platform. This may be done through a combination of physical devices or remote RF vectors. The goal for the adversary here would be to maintain access to the subsystems they previously have access to. |
| EST000091 | Hidden Rootkit | A Cyber Embedded Technique in which an adversary uses rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting (i.e., Hooking) and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the System Firmware. Rootkits have been seen for Windows, Linux, Mac OS X systems and shown to work on VXWorks systems and may be possible on other common embedded operating systems. |
| EST000092 | Scripting | A Cyber Embedded Technique in which an adversary uses scripts to aid in operations and perform multiple actions that would otherwise be manual. In a platform this can be a second stage bootloader or be used as maintenance to perform data loading operations. Maintenance typically needs to change the mode of operation to be able to access certain functions and that is accomplished by scripts that control the LRU. Due to the disconnected nature of platforms to the internet it is less likely to be used in real time by an operator and more likely to execute on some trigger. |
| EST000093 | Timestomp | A Cyber Embedded Technique in which an adversary manipulates timestamps to avoid defenses or forensic investigations. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name Masquerading to hide malware and tools. |
| EST000094 | Evade via Trusted Developer Utilities | A Cyber Embedded Technique in which an adversary exploits Trusted Developer Utilities to evade defensive measures. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application whitelisting defensive solutions. On embedded systems OEMs have various ways of accessing and controlling the LRUs that they produce. These are typically undocumented at the operational location in any way due to the contractor’s proprietary information. These tools are undocumented because the Government does not typically own the technical baseline of these devices. On the boards themselves, SPI, I2C or various other serial communications may be used to access memory or other useful interfaces to the device. |
| EST000095 | Device Lockout | A Cyber Embedded Technique in which an adversary locks the legitimate user out of the device, for example to inhibit user interaction. |
| EST000096 | Evade Analysis Environment | A Cyber Embedded Technique in which an adversary uses many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments. Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. For embedded devices, this would include evading SIL and testing activities performed by various organizations. The goal here is evade detection by an analyst who is specifically searching for malicious activity. |
| EST000097 | Input Injection | A Cyber Embedded Technique in which an adversary introduces valid data into menu or data structures as if they are a pilot. It is also possible to appear as a legitimate application to the pilot or from the MCDU. The payload would take advantage of the fact that the pilot is enabled to perform various operations on the platform due to their role. Because this is legitimate traffic, operating within legitimate bounds the adversary will evade defenses. For example: a payload could detect that a subsystem has been turned on via the “on” button, and then immediately send the “off” command as if the “off” button was depressed. Doing this would ensure that the target subsystem would not be allowed to be turned on. |
| EST000098 | Evasive OS Kernel or Boot Partition | A Cyber Embedded Technique in which an adversary with escalated privileges places malicious code in the device kernel or other boot partition to avoid detection on a system. If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device kernel or other boot partition components, where the code may evade detection, may persist after device resets, and may not be removable by the device user. In some cases, the attack may be detected but could result in the device being placed in a state that no longer allows certain functionality. Most PIT embedded systems do not have secure boot technologies implemented allowing adversaries to easily modify boot partition components. If the bootloader is not unlocked, it may still be possible to exploit device vulnerabilities to update the code. |
| EST000099 | Modify Underlying System | A Cyber Embedded Technique in which an adversary modifies the underlying system, specifically targeting security mechanisms or monitoring tools, to evade detection. This involves altering system files or configurations that are responsible for security logging, intrusion detection, or integrity checks. By disabling or manipulating these security functions, the adversary can hide their malicious activity and operate undetected within the system. For example, the adversary might modify system logs to remove evidence of their presence, disable intrusion detection rules, or corrupt integrity verification databases. This technique relies on first achieving privilege escalation to then directly impair defense capabilities. |
| EST000101 | Container Breakout | A Cyber Embedded Technique in which an adversary performs defense evasion by escaping from a container and gaining access to the underlying host system. The goal of the adversary is not to obtain more abilities, simply to obfuscate execution from container defenses. Previously named: Containerization |
| EST000102 | Exploitation for Evasion | A Cyber Embedded Technique in which an adversary exploits a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. Adversaries may have prior knowledge through Control Device Identification about security features implemented on control devices. These device security features will likely be targeted directly for exploitation. There are examples of firmware RAM/ROM consistency checks on control devices being targeted by adversaries to enable the installation of malicious System Firmware. |
| EST000103 | Impersonate Master Device | A Cyber Embedded Technique in which an adversary setups a rogue master to leverage control server functions to communicate with slave devices. A rogue master device can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. Impersonating a master device may also allow an adversary to avoid detection. |
| EST000104 | Spoof Reporting Message | A Cyber Embedded Technique in which an adversary spoofs reporting messages in control systems environments to achieve evasion. Reporting messages are used in control systems so that operators and network defenders can understand the status of the network. Reporting messages show the status of devices and any important events that the devices control. If an adversary has the ability to Spoof Reporting Messages, then they can impact the network in many ways. The adversary can Spoof Reporting Messages that state that the device is in normal working condition, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors were occurring, to distract them from the actual source of the problem. |
| EST000105 | Evade via Operating Mode Changes | A Cyber Embedded Technique in which an adversary places controllers into an alternate mode of operation to enable configuration setting changes for evasive code execution. Programmable controllers typically have several modes of operation. These modes can be broken down into three main categories: program run, program edit, and program write. Each of these modes puts the device in a state in which certain functions are available. For instance, the program edit mode allows alterations to be made to the user program while the device is still online. By driving a device into an alternate mode of operation, an adversary has the ability to change configuration settings in such a way to cause an impact to equipment and/or industrial process associated with the targeted device. An adversary may also use this alternate mode to execute arbitrary code which could be used to evade defenses. |
| EST000106 | Modify Checksums | A Cyber Embedded Technique in which an adversary reverse engineers and recalculates or modifies binary checksums to load malware without affecting the functionality or behavior of the binary. This will not change the size of the file as it requires no other change to the binary other than the physical location and recalculation of the Cylical Redundancy Check (CRC) after the malware has been inserted. Although this is possible the preferred method would be Binary padding as a modified checksum may be visible to operator during a operational check of currently loaded software on any debug/maintenance console. |
| EST000107 | Evade Physical Detection | A Cyber Embedded Technique in which an adversary uses techniques to avoid physical detection of system manipluation. Adversaries seek not to be found through maintenance visual inspection. They will seek to design their implant and/or leave behind device such that it is not easily found, either by miniaturization or camouflage |