Exploitation for Defense Evasion
Info
ID: AT-DC003
Tactic: Deepening Control
Sub-techniques: Hijacking, Injection, Proc Memory, Ptrace System Calls, Reflective Code Loading, Shared Library, Thread Execution
Platforms: Linux, macOS, Windows, IaaS
Defense Bypassed: Anti-virus, Application Control, System Monitoring
Exploitation for Defense Evasion
Adversaries may exploit how the target operating system or runtime environment monitors processes, memory, and filesystem operations to remain undetected. Techniques include injecting code into legitimate processes, using ptrace system calls to alter runtime behavior, or abusing reflective loading to hide malicious modules. This avoids simple signature-based detection and complicates incident response by blending with normal system functions.
Cloud and container platforms often incorporate monitoring agents and logs for security visibility, but adversaries who exploit these to bypass or disable checks can achieve prolonged stealth. Successfully evading defenses grants attackers more time to pivot through the environment, exfiltrate data, or embed deeper persistence. This method typically appears alongside other advanced tactics, since an unnoticed intrusion is essential for broad compromise.
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0015 | Application Log | Raise an alert when security products (AV / EDR / WAF) report a crash, self-protection fault, or watchdog reset within seconds of exploit traffic or privilege-escalation activity—classic symptoms of an adversary disabling or patching the control. |
| DS0009 | Process: Process Access | Detect memory manipulation or injection for fileless execution occurring between an untrusted process and a higher-privilege target |
| DS0009 | Process: OS API Execution | Alert when a process executing system calls used associated with defense evasion, for example, ptrace(PTRACE_ATTACH) or process_vm_writev, or performs mprotect(PROT_EXEC) on pages it modified. |
| DS0009 | Process: Process Creation | Raise when a process is started with CLONE_UNTRACED/CLONE_PTRACE flags or equivalent, indicating deliberate debugger-evasion or remote-thread execution. |
| DS0022 | File: File Creation | Detect newly-created file or library that reuse trusted filenames but whose hash, signature, or compile timestamp diverge from the expected baseline. |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1040 | Behavior Prevention on Endpoint | Implement advanced endpoint detection and response capabilities |
| M1050 | Exploit Protection | Implement exploit protection mechanisms and memory protections |
| M1022 | Restrict File and Directory Permissions | Implement strict file and directory permissions to prevent tampering |