Home
ATT&CK Techniques
T1211 Exploitation for Defense Evasion

T1211 Exploitation for Defense Evasion Mappings

Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.

Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for Security Software Discovery. The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.

There have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries (Citation: Salesforce zero-day in facebook phishing attack), evade security logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden infrastructure.(Citation: GhostToken GCP flaw)

View in MITRE ATT&CK®

Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
AC-04	Information Flow Enforcement	Protects	T1211	Exploitation for Defense Evasion
AC-06	Least Privilege	Protects	T1211	Exploitation for Defense Evasion
CA-07	Continuous Monitoring	Protects	T1211	Exploitation for Defense Evasion
CA-08	Penetration Testing	Protects	T1211	Exploitation for Defense Evasion
CM-02	Baseline Configuration	Protects	T1211	Exploitation for Defense Evasion
CM-06	Configuration Settings	Protects	T1211	Exploitation for Defense Evasion
CM-08	System Component Inventory	Protects	T1211	Exploitation for Defense Evasion
RA-10	Threat Hunting	Protects	T1211	Exploitation for Defense Evasion
RA-05	Vulnerability Monitoring and Scanning	Protects	T1211	Exploitation for Defense Evasion
SC-18	Mobile Code	Protects	T1211	Exploitation for Defense Evasion
SC-02	Separation of System and User Functionality	Protects	T1211	Exploitation for Defense Evasion
SC-26	Decoys	Protects	T1211	Exploitation for Defense Evasion
SC-29	Heterogeneity	Protects	T1211	Exploitation for Defense Evasion
SC-03	Security Function Isolation	Protects	T1211	Exploitation for Defense Evasion
SC-30	Concealment and Misdirection	Protects	T1211	Exploitation for Defense Evasion
SC-35	External Malicious Code Identification	Protects	T1211	Exploitation for Defense Evasion
SC-39	Process Isolation	Protects	T1211	Exploitation for Defense Evasion
SC-07	Boundary Protection	Protects	T1211	Exploitation for Defense Evasion
SI-02	Flaw Remediation	Protects	T1211	Exploitation for Defense Evasion
SI-03	Malicious Code Protection	Protects	T1211	Exploitation for Defense Evasion
SI-04	System Monitoring	Protects	T1211	Exploitation for Defense Evasion
SI-05	Security Alerts, Advisories, and Directives	Protects	T1211	Exploitation for Defense Evasion
SI-07	Software, Firmware, and Information Integrity	Protects	T1211	Exploitation for Defense Evasion
DEF-SecScore-E3	Secure Score	Technique Scores	T1211	Exploitation for Defense Evasion	Comments Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection) References https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide https://security.microsoft.com/securescore?