Home
ATT&CK Techniques
T1211 Exploitation for Defense Evasion

T1211 Exploitation for Defense Evasion Mappings

Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.

Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for Security Software Discovery. The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.

View in MITRE ATT&CK®

Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
AC-4	Information Flow Enforcement	Protects	T1211	Exploitation for Defense Evasion
AC-6	Least Privilege	Protects	T1211	Exploitation for Defense Evasion
CA-7	Continuous Monitoring	Protects	T1211	Exploitation for Defense Evasion
CA-8	Penetration Testing	Protects	T1211	Exploitation for Defense Evasion
CM-2	Baseline Configuration	Protects	T1211	Exploitation for Defense Evasion
CM-6	Configuration Settings	Protects	T1211	Exploitation for Defense Evasion
CM-8	System Component Inventory	Protects	T1211	Exploitation for Defense Evasion
RA-10	Threat Hunting	Protects	T1211	Exploitation for Defense Evasion
RA-5	Vulnerability Monitoring and Scanning	Protects	T1211	Exploitation for Defense Evasion
SC-18	Mobile Code	Protects	T1211	Exploitation for Defense Evasion
SC-2	Separation of System and User Functionality	Protects	T1211	Exploitation for Defense Evasion
SC-26	Decoys	Protects	T1211	Exploitation for Defense Evasion
SC-29	Heterogeneity	Protects	T1211	Exploitation for Defense Evasion
SC-3	Security Function Isolation	Protects	T1211	Exploitation for Defense Evasion
SC-30	Concealment and Misdirection	Protects	T1211	Exploitation for Defense Evasion
SC-35	External Malicious Code Identification	Protects	T1211	Exploitation for Defense Evasion
SC-39	Process Isolation	Protects	T1211	Exploitation for Defense Evasion
SC-7	Boundary Protection	Protects	T1211	Exploitation for Defense Evasion
SI-2	Flaw Remediation	Protects	T1211	Exploitation for Defense Evasion
SI-3	Malicious Code Protection	Protects	T1211	Exploitation for Defense Evasion
SI-4	System Monitoring	Protects	T1211	Exploitation for Defense Evasion
SI-5	Security Alerts, Advisories, and Directives	Protects	T1211	Exploitation for Defense Evasion
SI-7	Software, Firmware, and Information Integrity	Protects	T1211	Exploitation for Defense Evasion
CVE-2020-3244	Cisco ASR 5000 Series Software	primary_impact	T1211	Exploitation for Defense Evasion
CVE-2020-11087	FreeRDP	secondary_impact	T1211	Exploitation for Defense Evasion
CVE-2020-11019	FreeRDP	secondary_impact	T1211	Exploitation for Defense Evasion
CVE-2020-1141	Windows	secondary_impact	T1211	Exploitation for Defense Evasion
CVE-2014-4114	n/a	uncategorized	T1211	Exploitation for Defense Evasion
CVE-2020-10817	n/a	uncategorized	T1211	Exploitation for Defense Evasion
CVE-2019-5786	Chrome	uncategorized	T1211	Exploitation for Defense Evasion
CVE-2017-0213	Windows COM	uncategorized	T1211	Exploitation for Defense Evasion
CVE-2017-6922	Drupal Core	uncategorized	T1211	Exploitation for Defense Evasion
CVE-2019-11708	Firefox ESR	uncategorized	T1211	Exploitation for Defense Evasion
CVE-2018-7496	OSIsoft PI Vision	uncategorized	T1211	Exploitation for Defense Evasion
CVE-2015-1494	n/a	uncategorized	T1211	Exploitation for Defense Evasion
CVE-2014-0751	n/a	uncategorized	T1211	Exploitation for Defense Evasion
CVE-2020-8468	Trend Micro OfficeScan, Trend Micro Apex One, Trend Micro Worry-Free Business Security (WFBS)	uncategorized	T1211	Exploitation for Defense Evasion
CVE-2018-6112	Chrome	uncategorized	T1211	Exploitation for Defense Evasion
CVE-2015-7755	n/a	uncategorized	T1211	Exploitation for Defense Evasion
CVE-2018-0560	Hatena Bookmark App for iOS	uncategorized	T1211	Exploitation for Defense Evasion
CVE-2018-8337	Windows 10	uncategorized	T1211	Exploitation for Defense Evasion
CVE-2013-7246	n/a	uncategorized	T1211	Exploitation for Defense Evasion
CVE-2018-16179	Mizuho Direct App for Android	uncategorized	T1211	Exploitation for Defense Evasion
action.malware.variety.Exploit vuln	Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.)	related-to	T1211	Exploitation for Defense Evasion
aws_config	AWS Config	technique_scores	T1211	Exploitation for Defense Evasion	Comments The "ec2-managedinstance-applications-blacklisted" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The "ec2-managedinstance-platform-check" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one). Both can reduce instances' attack surface for adversary exploitation, including for defense evasion. All of these are run on configuration changes. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial. References https://docs.aws.amazon.com/config https://docs.aws.amazon.com/config/latest/developerguide https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
amazon_inspector	Amazon Inspector	technique_scores	T1211	Exploitation for Defense Evasion	Comments Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for "Enable Address Space Layout Randomization (ASLR)" and "Enable Data Execution Prevention (DEP)" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial. References https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html
aws_security_hub	AWS Security Hub	technique_scores	T1211	Exploitation for Defense Evasion	Comments AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight. EC2 instances that have missing security patches for important vulnerabilities This is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities. References https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html