1. Home
  2. ATT&CK Techniques
  3. T1211 Exploitation for Defense Evasion

T1211 Exploitation for Defense Evasion Mappings

Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.

Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for Security Software Discovery. The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-4 Information Flow Enforcement Protects T1211 Exploitation for Defense Evasion
AC-6 Least Privilege Protects T1211 Exploitation for Defense Evasion
CA-7 Continuous Monitoring Protects T1211 Exploitation for Defense Evasion
CA-8 Penetration Testing Protects T1211 Exploitation for Defense Evasion
CM-2 Baseline Configuration Protects T1211 Exploitation for Defense Evasion
CM-6 Configuration Settings Protects T1211 Exploitation for Defense Evasion
CM-8 System Component Inventory Protects T1211 Exploitation for Defense Evasion
RA-10 Threat Hunting Protects T1211 Exploitation for Defense Evasion
RA-5 Vulnerability Monitoring and Scanning Protects T1211 Exploitation for Defense Evasion
SC-18 Mobile Code Protects T1211 Exploitation for Defense Evasion
SC-2 Separation of System and User Functionality Protects T1211 Exploitation for Defense Evasion
SC-26 Decoys Protects T1211 Exploitation for Defense Evasion
SC-29 Heterogeneity Protects T1211 Exploitation for Defense Evasion
SC-3 Security Function Isolation Protects T1211 Exploitation for Defense Evasion
SC-30 Concealment and Misdirection Protects T1211 Exploitation for Defense Evasion
SC-35 External Malicious Code Identification Protects T1211 Exploitation for Defense Evasion
SC-39 Process Isolation Protects T1211 Exploitation for Defense Evasion
SC-7 Boundary Protection Protects T1211 Exploitation for Defense Evasion
SI-2 Flaw Remediation Protects T1211 Exploitation for Defense Evasion
SI-3 Malicious Code Protection Protects T1211 Exploitation for Defense Evasion
SI-4 System Monitoring Protects T1211 Exploitation for Defense Evasion
SI-5 Security Alerts, Advisories, and Directives Protects T1211 Exploitation for Defense Evasion
SI-7 Software, Firmware, and Information Integrity Protects T1211 Exploitation for Defense Evasion
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1211 Exploitation for Defense Evasion
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
  1. https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction
  2. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows
azure_automation_update_management Azure Automation Update Management technique_scores T1211 Exploitation for Defense Evasion
Comments
This control provides significant coverage of defensive evasion methods that exploit unpatched vulnerabilities in software/systems since it enables automated updates of software and rapid configuration change management.
References
  1. https://docs.microsoft.com/en-us/azure/automation/update-management/overview
azure_policy Azure Policy technique_scores T1211 Exploitation for Defense Evasion
Comments
This control may provide recommendations for vulnerability assessment and outdated applications and cloud services. This control covers a wide range of Azure cloud services to help reduce the surface area for exploitation.
References
  1. https://docs.microsoft.com/en-us/azure/governance/policy/overview
  2. https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir
azure_defender_for_app_service Azure Defender for App Service technique_scores T1211 Exploitation for Defense Evasion
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate.
References
  1. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference
  2. https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction
  3. https://azure.microsoft.com/en-us/services/app-service/
  4. https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction
integrated_vulnerability_scanner_powered_by_qualys Integrated Vulnerability Scanner Powered by Qualys technique_scores T1211 Exploitation for Defense Evasion
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
  1. https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm
  2. https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm