T1211 Exploitation for Defense Evasion Mappings

Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.

Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for Security Software Discovery. The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-4 Information Flow Enforcement Protects T1211 Exploitation for Defense Evasion
AC-6 Least Privilege Protects T1211 Exploitation for Defense Evasion
CA-7 Continuous Monitoring Protects T1211 Exploitation for Defense Evasion
CA-8 Penetration Testing Protects T1211 Exploitation for Defense Evasion
CM-2 Baseline Configuration Protects T1211 Exploitation for Defense Evasion
CM-6 Configuration Settings Protects T1211 Exploitation for Defense Evasion
CM-8 System Component Inventory Protects T1211 Exploitation for Defense Evasion
RA-10 Threat Hunting Protects T1211 Exploitation for Defense Evasion
RA-5 Vulnerability Monitoring and Scanning Protects T1211 Exploitation for Defense Evasion
SC-18 Mobile Code Protects T1211 Exploitation for Defense Evasion
SC-2 Separation of System and User Functionality Protects T1211 Exploitation for Defense Evasion
SC-26 Decoys Protects T1211 Exploitation for Defense Evasion
SC-29 Heterogeneity Protects T1211 Exploitation for Defense Evasion
SC-3 Security Function Isolation Protects T1211 Exploitation for Defense Evasion
SC-30 Concealment and Misdirection Protects T1211 Exploitation for Defense Evasion
SC-35 External Malicious Code Identification Protects T1211 Exploitation for Defense Evasion
SC-39 Process Isolation Protects T1211 Exploitation for Defense Evasion
SC-7 Boundary Protection Protects T1211 Exploitation for Defense Evasion
SI-2 Flaw Remediation Protects T1211 Exploitation for Defense Evasion
SI-3 Malicious Code Protection Protects T1211 Exploitation for Defense Evasion
SI-4 System Monitoring Protects T1211 Exploitation for Defense Evasion
SI-5 Security Alerts, Advisories, and Directives Protects T1211 Exploitation for Defense Evasion
SI-7 Software, Firmware, and Information Integrity Protects T1211 Exploitation for Defense Evasion
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1211 Exploitation for Defense Evasion
azure_automation_update_management Azure Automation Update Management technique_scores T1211 Exploitation for Defense Evasion
azure_policy Azure Policy technique_scores T1211 Exploitation for Defense Evasion
azure_defender_for_app_service Azure Defender for App Service technique_scores T1211 Exploitation for Defense Evasion
integrated_vulnerability_scanner_powered_by_qualys Integrated Vulnerability Scanner Powered by Qualys technique_scores T1211 Exploitation for Defense Evasion