Defense Evasion — Techniques Used to Avoid Detection and Security Controls
Defense Evasion refers to the techniques attackers use to avoid detection, bypass security controls, and remain undetected within a compromised environment. This SECMONS glossary entry explains how defense evasion works, common techniques, and how defenders can detect and counter them.
What Is Defense Evasion?
Defense Evasion refers to the techniques attackers use to avoid detection, bypass security mechanisms, and remain hidden within an environment.
It can occur at any stage of an intrusion, including:
- /glossary/initial-access/
- /glossary/persistence/
- /glossary/lateral-movement/
- /glossary/data-exfiltration/
Defense evasion increases attacker dwell time and reduces the likelihood of early containment.
Why Defense Evasion Matters
Even well-configured security tools are ineffective if attackers can bypass or disable them.
Defense evasion allows adversaries to:
- Disable logging mechanisms
- Tamper with security agents
- Obfuscate malicious payloads
- Hide network traffic
- Modify timestamps
- Clear event logs
- Blend into legitimate system activity
Many prolonged incidents documented under /breaches/ involved successful evasion of monitoring systems.
Common Defense Evasion Techniques
Attackers frequently leverage legitimate system features rather than obvious malware.
| Technique | Description |
|---|---|
| Log tampering | Deleting or modifying audit logs |
| Obfuscation | Encoding or encrypting payloads |
| Process injection | Running malicious code inside trusted processes |
| Living-off-the-land | Using built-in administrative tools |
| Disabling security tools | Stopping antivirus or EDR services |
| Fileless execution | Running code in memory only |
| Timestamp manipulation | Altering file metadata |
These techniques are formally mapped in MITRE ATT&CK under the Defense Evasion tactic.
Defense Evasion vs Persistence
| Stage | Objective |
|---|---|
| Persistence | Maintain long-term access |
| Defense Evasion | Avoid detection while maintaining access |
| Lateral Movement | Expand internal reach |
| Command & Control | Maintain communication |
Persistence ensures continued access.
Defense evasion ensures that access remains unnoticed.
How Defense Evasion Is Enabled
Evasion becomes easier when environments have:
- Excessive administrative privileges
- Incomplete log aggregation
- Weak endpoint monitoring
- Lack of network visibility
- Poor segmentation
- Unpatched vulnerabilities listed under /vulnerabilities/
If exploitation begins through weaknesses such as /glossary/remote-code-execution/ or vulnerabilities marked as /glossary/exploited-in-the-wild/, attackers may quickly deploy evasion techniques to extend dwell time.
Defensive Considerations ️
Reducing defense evasion risk requires:
- Centralized log collection
- Immutable log storage
- Endpoint detection and response (EDR)
- Behavioral anomaly detection
- Monitoring privilege changes
- Restricting administrative tool abuse
- Continuous security validation testing
Operational detection strategies are typically documented under:
Why SECMONS Treats Defense Evasion as Strategic
Defense evasion is what turns a breach into a long-term compromise.
Understanding how attackers avoid detection allows defenders to build layered visibility and reduce attacker dwell time.
Authoritative References
- MITRE ATT&CK — Defense Evasion (TA0005): https://attack.mitre.org/tactics/TA0005/
- CISA Detection and Response Guidance: https://www.cisa.gov/