title: Exploitation for Defense Evasion (T1211)
id: df00tech-t1211
status: experimental
description: "Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them. Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for Security Software Discovery. There have also been examples of vulnerabilities in public cloud infrastructure and SaaS applications that may bypass defense boundaries, evade security logs, or deploy hidden infrastructure."
references:
  - https://attack.mitre.org/techniques/T1211/
  - https://df00tech.com/detections/T1211
author: df00tech
date: 2026/04/19
tags:
  - attack.t1211
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Security software updates may spawn cmd.exe or PowerShell as part of self-update or installer routines
  - "Endpoint management platforms (SCCM, Intune, BigFix) may access security software processes during health checks or remediation"
  - "Legitimate security tools performing process inspection (SysInternals, vulnerability scanners) may open handles to security processes"
  - Vendor-provided diagnostic or support tools for the security product itself may trigger process access alerts
  - Windows Error Reporting (WerFault.exe) opens handles to crashed processes including security software during crash dump collection
level: critical