Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.
Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for Security Software Discovery. The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.
There have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries (Citation: Salesforce zero-day in facebook phishing attack), evade security logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden infrastructure.(Citation: GhostToken GCP flaw)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1211 | Exploitation for Defense Evasion |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1211 | Exploitation for Defense Evasion |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks.
References
|
| PR.PS-06.05 | Testing and validation strategy | Mitigates | T1211 | Exploitation for Defense Evasion |
Comments
This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of.
References
|
| ID.RA-01.03 | Vulnerability management | Mitigates | T1211 | Exploitation for Defense Evasion |
Comments
This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities.
References
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1211 | Exploitation for Defense Evasion |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can help prevent adversary exploitation of a system or application vulnerability to bypass security features.
References
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1211 | Exploitation for Defense Evasion |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
References
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1211 | Exploitation for Defense Evasion |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of unpatched vulnerabilities of your virtualized technologies.
References
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1211 | Exploitation for Defense Evasion |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1211 | Exploitation for Defense Evasion |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
| azure_policy | Azure Policy | technique_scores | T1211 | Exploitation for Defense Evasion |
Comments
This control may provide recommendations for vulnerability assessment and outdated applications and cloud services. This control covers a wide range of Azure cloud services to help reduce the surface area for exploitation.
References
|
| azure_update_manager | Azure Update Manager | technique_scores | T1211 | Exploitation for Defense Evasion |
Comments
This control provides significant coverage of defensive evasion methods that exploit unpatched vulnerabilities in software/systems since it enables automated updates of software and rapid configuration change management.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1211 | Exploitation for Defense Evasion |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate.
References
|
| vulnerability_management | Microsoft Defender for Cloud: Vulnerability Management | technique_scores | T1211 | Exploitation for Defense Evasion |
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| artifact_analysis | Artifact Analysis | technique_scores | T1211 | Exploitation for Defense Evasion |
Comments
Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect variations to store system packages and images stored in the repository, which adversaries may target to establish persistence while evading cyber defenses.
References
|
| vm_manager | VM Manager | technique_scores | T1211 | Exploitation for Defense Evasion |
Comments
VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_inspector | Amazon Inspector | technique_scores | T1211 | Exploitation for Defense Evasion |
Comments
Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for "Enable Address Space Layout Randomization (ASLR)" and "Enable Data Execution Prevention (DEP)" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|
| aws_config | AWS Config | technique_scores | T1211 | Exploitation for Defense Evasion |
Comments
The "ec2-managedinstance-applications-blacklisted" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The "ec2-managedinstance-platform-check" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one). Both can reduce instances' attack surface for adversary exploitation, including for defense evasion.
All of these are run on configuration changes. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial.
References
|
| aws_security_hub | AWS Security Hub | technique_scores | T1211 | Exploitation for Defense Evasion |
Comments
AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight.
EC2 instances that have missing security patches for important vulnerabilities
This is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities.
References
|