TA0005
Defense Evasion Detection Rules
The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
df00tech ships 221 production-ready detection rules mapped to the Defense Evasion tactic (TA0005). Each rule below includes copy-paste queries for Microsoft Sentinel (KQL), Splunk (SPL), Elastic (EQL), QRadar, Sumo Logic, Chronicle and LogScale, with data-source requirements, severity and false-positive guidance — free to use.
Defense Evasion detections (221)
- CVE-2024-26234 Windows Proxy Driver Spoofing via Malicious Signed Driver
- T1006 Direct Volume Access
- T1014 Rootkit
- T1027 Obfuscated Files or Information
- T1027.001 Binary Padding
- T1027.002 Software Packing
- T1027.003 Steganography
- T1027.004 Compile After Delivery
- T1027.005 Indicator Removal from Tools
- T1027.006 HTML Smuggling
- T1027.007 Dynamic API Resolution
- T1027.008 Stripped Payloads
- T1027.009 Embedded Payloads
- T1027.010 Command Obfuscation
- T1027.011 Fileless Storage
- T1027.012 LNK Icon Smuggling
- T1027.013 Encrypted/Encoded File
- T1027.014 Polymorphic Code
- T1027.015 Compression
- T1027.016 Junk Code Insertion
- T1027.017 SVG Smuggling
- T1036 Masquerading
- T1036.001 Invalid Code Signature
- T1036.002 Right-to-Left Override
- T1036.003 Rename Legitimate Utilities
- T1036.004 Masquerade Task or Service
- T1036.005 Match Legitimate Resource Name or Location
- T1036.006 Space after Filename
- T1036.007 Double File Extension
- T1036.008 Masquerade File Type
- T1036.009 Break Process Trees
- T1036.010 Masquerade Account Name
- T1036.011 Overwrite Process Arguments
- T1036.012 Browser Fingerprint
- T1055 Process Injection
- T1055.001 Dynamic-link Library Injection
- T1055.002 Portable Executable Injection
- T1055.003 Thread Execution Hijacking
- T1055.004 Asynchronous Procedure Call
- T1055.005 Thread Local Storage
- T1055.008 Ptrace System Calls
- T1055.009 Proc Memory
- T1055.011 Extra Window Memory Injection
- T1055.012 Process Hollowing
- T1055.013 Process Doppelganging
- T1055.014 VDSO Hijacking
- T1055.015 ListPlanting
- T1064 Scripting
- T1070 Indicator Removal
- T1070.001 Clear Windows Event Logs
- T1070.002 Clear Linux or Mac System Logs
- T1070.003 Clear Command History
- T1070.004 File Deletion
- T1070.005 Network Share Connection Removal
- T1070.006 Timestomp
- T1070.007 Clear Network Connection History and Configurations
- T1070.008 Clear Mailbox Data
- T1070.009 Clear Persistence
- T1070.010 Relocate Malware
- T1078 Valid Accounts
- T1078.001 Default Accounts
- T1078.002 Domain Accounts
- T1078.003 Local Accounts
- T1078.004 Cloud Accounts
- T1108 Redundant Access
- T1112 Modify Registry
- T1127 Trusted Developer Utilities Proxy Execution
- T1127.001 MSBuild
- T1127.002 ClickOnce
- T1127.003 JamPlus
- T1134 Access Token Manipulation
- T1134.001 Token Impersonation/Theft
- T1134.002 Create Process with Token
- T1134.003 Make and Impersonate Token
- T1134.004 Parent PID Spoofing
- T1134.005 SID-History Injection
- T1140 Deobfuscate/Decode Files or Information
- T1149 LC_MAIN Hijacking
- T1197 BITS Jobs
- T1202 Indirect Command Execution
- T1205 Traffic Signaling
- T1205.001 Port Knocking
- T1205.002 Socket Filters
- T1207 Rogue Domain Controller
- T1211 Exploitation for Defense Evasion
- T1216 System Script Proxy Execution
- T1216.001 PubPrn
- T1216.002 SyncAppvPublishingServer
- T1218 System Binary Proxy Execution
- T1218.001 Compiled HTML File
- T1218.002 Control Panel
- T1218.003 CMSTP
- T1218.004 InstallUtil
- T1218.005 Mshta
- T1218.007 Msiexec
- T1218.008 Odbcconf
- T1218.009 Regsvcs/Regasm
- T1218.010 Regsvr32
- T1218.011 Rundll32
- T1218.012 Verclsid
- T1218.013 Mavinject
- T1218.014 MMC
- T1218.015 Electron Applications
- T1220 XSL Script Processing
- T1221 Template Injection
- T1222 File and Directory Permissions Modification
- T1222.001 Windows File and Directory Permissions Modification
- T1222.002 Linux and Mac File and Directory Permissions Modification
- T1480 Execution Guardrails
- T1480.001 Environmental Keying
- T1480.002 Mutual Exclusion
- T1484 Domain or Tenant Policy Modification
- T1484.001 Group Policy Modification
- T1484.002 Trust Modification
- T1497 Virtualization/Sandbox Evasion
- T1497.001 System Checks
- T1497.002 User Activity Based Checks
- T1497.003 Time Based Checks
- T1535 Unused/Unsupported Cloud Regions
- T1542 Pre-OS Boot
- T1542.001 System Firmware
- T1542.002 Component Firmware
- T1542.003 Bootkit
- T1542.004 ROMMONkit
- T1542.005 TFTP Boot
- T1548 Abuse Elevation Control Mechanism
- T1548.001 Setuid and Setgid
- T1548.002 Bypass User Account Control
- T1548.003 Sudo and Sudo Caching
- T1548.004 Elevated Execution with Prompt
- T1548.005 Temporary Elevated Cloud Access
- T1548.006 TCC Manipulation
- T1550 Use Alternate Authentication Material
- T1550.001 Application Access Token
- T1550.002 Pass the Hash
- T1550.003 Pass the Ticket
- T1550.004 Web Session Cookie
- T1553 Subvert Trust Controls
- T1553.001 Gatekeeper Bypass
- T1553.002 Code Signing
- T1553.003 SIP and Trust Provider Hijacking
- T1553.004 Install Root Certificate
- T1553.005 Mark-of-the-Web Bypass
- T1553.006 Code Signing Policy Modification
- T1556 Modify Authentication Process
- T1556.001 Domain Controller Authentication
- T1556.002 Password Filter DLL
- T1556.003 Pluggable Authentication Modules
- T1556.004 Network Device Authentication
- T1556.005 Reversible Encryption
- T1556.006 Multi-Factor Authentication
- T1556.007 Hybrid Identity
- T1556.008 Network Provider DLL
- T1556.009 Conditional Access Policies
- T1562 Impair Defenses
- T1562.001 Disable or Modify Tools
- T1562.002 Disable Windows Event Logging
- T1562.003 Impair Command History Logging
- T1562.004 Disable or Modify System Firewall
- T1562.006 Indicator Blocking
- T1562.007 Disable or Modify Cloud Firewall
- T1562.008 Disable or Modify Cloud Logs
- T1562.009 Safe Mode Boot
- T1562.010 Downgrade Attack
- T1562.011 Spoof Security Alerting
- T1562.012 Disable or Modify Linux Audit System
- T1562.013 Disable or Modify Network Device Firewall
- T1564 Hide Artifacts
- T1564.001 Hidden Files and Directories
- T1564.002 Hidden Users
- T1564.003 Hidden Window
- T1564.004 NTFS File Attributes
- T1564.005 Hidden File System
- T1564.006 Run Virtual Instance
- T1564.007 VBA Stomping
- T1564.008 Email Hiding Rules
- T1564.009 Resource Forking
- T1564.010 Process Argument Spoofing
- T1564.011 Ignore Process Interrupts
- T1564.012 File/Path Exclusions
- T1564.013 Bind Mounts
- T1564.014 Extended Attributes
- T1574 Hijack Execution Flow
- T1574.001 DLL
- T1574.002 DLL Side-Loading
- T1574.004 Dylib Hijacking
- T1574.005 Executable Installer File Permissions Weakness
- T1574.006 Dynamic Linker Hijacking
- T1574.007 Path Interception by PATH Environment Variable
- T1574.008 Path Interception by Search Order Hijacking
- T1574.009 Path Interception by Unquoted Path
- T1574.010 Services File Permissions Weakness
- T1574.011 Services Registry Permissions Weakness
- T1574.012 COR_PROFILER
- T1574.013 KernelCallbackTable
- T1574.014 AppDomainManager
- T1578 Modify Cloud Compute Infrastructure
- T1578.001 Create Snapshot
- T1578.002 Create Cloud Instance
- T1578.003 Delete Cloud Instance
- T1578.004 Revert Cloud Instance
- T1578.005 Modify Cloud Compute Configurations
- T1599 Network Boundary Bridging
- T1599.001 Network Address Translation Traversal
- T1600 Weaken Encryption
- T1600.001 Reduce Key Space
- T1600.002 Disable Crypto Hardware
- T1601 Modify System Image
- T1601.001 Patch System Image
- T1601.002 Downgrade System Image
- T1610 Deploy Container
- T1612 Build Image on Host
- T1620 Reflective Code Loading
- T1622 Debugger Evasion
- T1647 Plist File Modification
- T1656 Impersonation
- T1666 Modify Cloud Resource Hierarchy
- T1672 Email Spoofing
- T1678 Delay Execution
- T1679 Selective Exclusion
- THREAT-EntraID-TokenTheft Microsoft Entra ID Session Token Theft and Replay
All MITRE ATT&CK Tactics
TA0043 Reconnaissance TA0042 Resource Development TA0001 Initial Access TA0002 Execution TA0003 Persistence TA0004 Privilege Escalation TA0005 Defense Evasion TA0006 Credential Access TA0007 Discovery TA0008 Lateral Movement TA0009 Collection TA0011 Command and Control TA0010 Exfiltration TA0040 Impact