The adversary is trying to avoid being detected.
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
| ID | Name | Description | |
| T2029 | Abuse Elevation Control Mechanism | Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. | |
| T2030 | Deobfuscate/Decode Files or Information | Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system. | |
| T2031 | Exploitation for Defense Evasion | Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them. | |
| T2032 | Impair Defenses | Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators. | |
| .001 | CAN Restrict | Adversaries may exploit the CAN Restrict attack technique in vehicle cybersecurity to bypass restrictions on the Controller Area Network (CAN) bus. The CAN bus is a critical component of modern vehicles, responsible for transmitting messages between different electronic control units (ECUs) within the vehicle. The CAN bus transmit chip typically restricts the types of messages that can be transmitted on the network to prevent unauthorized access and manipulation. However, adversaries can rewrite or exploit the firmware or driver of the CAN bus transmit chip to bypass these restrictions and transmit arbitrary CAN messages on the network. | |
| .002 | Disable Memory Protection | Adversaries may exploit vulnerabilities in vehicle systems to disable memory protection, allowing them to manipulate and compromise the vehicle's software and potentially gain unauthorized access to critical functions. This technique involves bypassing the security measures that protect the vehicle's memory, providing adversaries with the ability to execute malicious code and tamper with system operations. | |
| .003 | Disable or Modify System Firewall | Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel. | |
| T2033 | Subvert Trust Controls | Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. | |
| .001 | Code Signing | Adversaries may exploit code signing to bypass security measures and execute unauthorized code within vehicle systems. When updating the system, the update progress may verify if the update image is valid. Adversaries might exploit the update progress and bypass the validation check. | |
| .002 | UDS Security Access | Adversaries may exploit UDS Security Access in vehicle cybersecurity to gain unauthorized access to critical ECU services. This technique involves cracking the challenge and response mechanism used to unlock secure features. By reversing the challenge and response function, adversaries can extract the key and bypass the security measures in place. | |
| T2011 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. | |
| T2035 | Virtualization/Sandbox Evasion | Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors. | |