Bypassing detection tools is part of a hacker’s routine these days. Despite the incredible evolution of defensive technologies, attackers often remain undetected for weeks or months, earning the label advanced persistent threat (APT).
Classic security tools are necessary but less and less sufficient. That’s why most security companies are now focusing on behavioral analysis and active endpoint protection, as evasion keeps becoming easier.
For example, intrusion detection tools still rely somewhat on huge databases that contain specific signatures, but even if these databases are updated regularly, hackers can forge custom packets to stay off the radar. As a result, more and more security tools are relying on AI and ML techniques to detect signs of zero-day threats.
We’ll discuss both common and unusual evasion techniques – and practical means for enterprises to protect themselves.
Start with the MITRE ATT&CK Framework
The MITRE ATT&CK framework is one of the best knowledge bases available, as it documents in detail how attackers behave and think.
Defense Evasion is described accurately, with practical examples and dedicated pages for each technique. At the time of writing, there are 40 known techniques attackers can use to evade detection, from classic obfuscation to lateral movements and more sophisticated approaches.
If you have no idea how to spot such sneaky moves, ATT&CK is a great resource, and even advanced teams use it daily, as many security vendors map the knowledge base to perform analysis.
The Top Techniques Used by Hackers
The following evasion approaches are widely used:
- Disabling security tools
- Masquerading (tricked file type, scheduled tasks, renamed hacking software, etc.)
- Obfuscating malicious code
Evasion helps the attack succeed. Hackers may remain undetected for lengthy periods or for a calculated window of opportunity. We’ve seen various attacks in the headlines over the past months where attackers were perfectly aware they’ll get detected eventually, but they only needed a couple of hours to operate.
Many security vendors can easily block known hacking software such as Mimikatz, but hackers can lower the detection rate significantly by simply renaming the file so the invoke command does not raise alerts.
More advanced attackers may modify a few lines in the source code to lower the detection rate, and most antivirus software will fail to detect it.
It’s also possible to mess with registry entries to completely disable built-in monitoring with PowerShell commands such as:
Set-MpPreferences -DisableRealTimeMonitoring $true
The Rapid Evolution of Evasion Techniques
Evasion techniques have evolved quickly. The earliest techniques were fake malware signatures or sleep timers (delayed execution). Now hackers are focusing more on EDR evasion and LOTL attacks.
LOTL stands for “living off the land,” which mainly consists of using native tools found on the targeted system – like PowerShell – to attack. In other words, the attackers blend into the victim’s computer systems and cover their actions by using legitimate processes.
This approach is heavily used in cyber espionage, but script kiddies and less advanced hackers might use it too, as dark open-sourcing is rising, making hacking easier.
AppLocker mechanisms and strict permissions management can mitigate LOLbins (living off the land binaries) attacks.
Memory analysis is a bit more technical but effective for spotting common LOLBins used to deliver malware, such as Regsvr32, a Windows utility that can register or unregister DLL files.
Examples of IDS and IPS Evasion
IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems) – often combined as intrusion detection and prevention systems (IDPS) – can flag suspicious network packets by comparing them to a threat database filled with known signatures collected in various cyberattacks. IDS only monitors packets while IPS can reject them automatically.
Many attackers use Nmap to discover vulnerable live hosts, but IDS and IPS can detect such active scans and raise alerts immediately.
However, you can pass specific options to Nmap commands that fragment (-f option) packets, manipulate metadata, or send fake data that won’t be matched with known signatures.
Disabling Security Tools
Disabling security tools is a practical approach. The following Windows utilities and features can be deactivated:
- Task manager
- UAC (User Access Control used to execute tasks with admin privileges)
- CMD (command invite)
- Windows Security
All have associated registry entries that can be modified. Alternatively, it’s possible to alter the local access policies.
This is where EDR and UEBA can identify unwanted modifications in security policies and unusual events – but watch for attempts to bypass EDR systems too.
Evasion Can Leverage macOS and Linux Too
Most demos and POCs involve PowerShell commands and modifications in Windows registry.
Indeed, Windows is still the most popular OS, but macOS and Linux systems are not immune to evasion techniques – and Linux is the basis of many critically important enterprise systems. Hackers can use LOLBins in such environments as well, sometimes giving headaches to researchers trying to analyze the situation.
Attackers can implant persistent agents and kill the Activity Monitor (the macOS equivalent of the Task Manager in Windows) to prevent users from checking resources, just like what happened in OSAMiner campaigns.
Linux shell scripts can uninstall cloud-monitoring agents, disable firewalls, or rename common utilities such as wget and curl that can download resources from remote IPs.
All endpoints should be monitored, regardless of the operating system.
See our picks for the Top EDR Tools
Malicious Payloads Can Hide in Unexpected Files
Hackers love classic file types such as PDFs because they do not look suspicious like .exe (executable), .jar (Java) or zip archives do.
Embedded macros in Word and Excel documents are also massively used to bypass antivirus software and other protections to ultimately install malware. The only caveat for attackers is that it usually requires the user to click on “enable content” (e.g., inside Microsoft Office), so macro malware is theoretically much easier to detect and mitigate. However, cybersecurity awareness training is essential to prevent employees from even opening such files.
Indeed, hackers managed to bypass default macro security using non-malicious documents to trick the victims into disabling security warnings and enabling macros that are normally disabled in Microsoft Office. These documents were used to download other documents containing macro code.
Steganographic documents are hard to detect, but CDR (content disarm and reconstruction) can remove non-approved objects in files automatically.
RATs (Remote Access Trojans) can have various purposes, from spying/monitoring the victim’s activities (e.g., keystrokes, screenshots, confidential information) to identity theft and malware distribution.
It’s not uncommon for hackers to use infected machines to attack other machines by using the victims’ addresses as fronts for criminal activities.
Besides, RATs are very effective against antivirus software, so using IDPS technology is recommended.
Nothing Replaces Human Analysis – But It Can Be Fooled
Security tools do a tremendous job, especially against common threats. However, skilled adversaries often succeed at bypassing them.
They can anticipate the work of security analysts, perhaps leading researchers too, and hide malicious commands inside legitimate system commands and instructions.
Those command lines are often quite long and used by a very few specialists that work at low-level, for example, with kernels or assembly code. Even if the analyst is intrigued by such unusual lines in security logs, Google will likely indicate it’s a perfectly legitimate process.
You cannot fight against something you don’t know, and most security tools focus on known attacks and technologies, not highly complex scenarios that are specifically meant to lure defenders with social engineering and noisy data.
In this case, understanding the tactics and procedures involved is a top priority. Threat hunting, endpoint logs and auditing can save the day.
Read next: How to Build & Run a Threat Hunting Program