Defense Evasion

Overview

Modern enterprise environments are protected by sophisticated security solutions including EDR (Endpoint Detection and Response), antivirus software, logging systems, and behavioral analysis tools. Understanding evasion techniques is crucial for red team operations and realistic security assessments. This section covers methods to bypass security controls while maintaining operational security.

EDR Evasion

• EDR Evasion - Techniques to bypass endpoint detection and response systems

Evasion Methodology

Phase 1: Reconnaissance

• Identify security products installed (EDR, AV, SIEM)
• Enumerate monitoring and logging capabilities
• Check for behavioral analysis systems
• Review application whitelisting
• Identify network monitoring

Phase 2: Operational Security (OPSEC)

• Minimize detection surface
• Blend with normal user behavior
• Use living-off-the-land techniques
• Avoid known malicious patterns
• Encrypt communications

Phase 3: Evasion Techniques

• Obfuscate payloads and scripts
• Use indirect system calls
• Implement process injection
• Leverage signed binaries (LOLBins)
• Disable or bypass security features

Phase 4: Persistence Evasion

• Use stealthy persistence mechanisms
• Avoid common autorun locations
• Leverage scheduled tasks with legitimate appearance
• Use DLL hijacking in trusted paths
• Implement fileless persistence

Common Evasion Techniques

Code Obfuscation

• String encryption
• Control flow flattening
• Dead code insertion
• Polymorphic code generation
• Code signing with valid certificates

Process Injection

• Classic DLL injection
• Reflective DLL injection
• Process hollowing
• Process doppelganging
• Thread execution hijacking

Living Off the Land (LOLBins)

Using legitimate Windows binaries:

• PowerShell with constrained language bypass
• WMI for execution and persistence
• MSHTA for payload delivery
• Regsvr32 for script execution
• Certutil for file downloads

Memory-Based Techniques

• Execute payloads in memory only
• Avoid writing to disk
• Use reflective loading
• Leverage .NET in-memory compilation
• Employ direct system calls

Anti-Forensics

• Clear event logs selectively
• Timestomp files to avoid timeline detection
• Use NTFS alternate data streams
• Remove evidence from prefetch and shimcache
• Manipulate process arguments

Detection Avoidance Strategies

Signature Evasion

• Modify known malicious patterns
• Use custom tooling instead of public tools
• Encrypt and encode payloads
• Break up payloads into stages
• Implement time-based execution

Behavioral Evasion

• Mimic legitimate user activity
• Respect rate limits and timing
• Use standard ports and protocols
• Avoid suspicious parent-child process relationships
• Implement user interaction checks

Network Evasion

• Use encrypted channels (HTTPS, DNS over HTTPS)
• Domain fronting and redirectors
• Blend with legitimate traffic
• Implement jitter and sleep randomization
• Use peer-to-peer C2 channels

Modern EDR Bypass Techniques

Kernel Callbacks

• Unhook EDR kernel callbacks
• Patch ETW (Event Tracing for Windows)
• Disable threat intelligence feeds
• Bypass AMSI (Antimalware Scan Interface)
• Manipulate protected processes

Hardware-Based Evasion

• Bring Your Own Vulnerable Driver (BYOVD)
• Hypervisor-based rootkits
• Firmware-level persistence
• SMM (System Management Mode) rootkits

Essential Tools & Frameworks

Responsible Use

These techniques should only be used in authorized engagements:

• Obtain written permission before testing
• Define rules of engagement clearly
• Document all actions for reporting
• Avoid causing system instability
• Respect data privacy and legal boundaries

Related Resources

• Windows Security - DLL injection and process manipulation
• Active Directory Attacks - AD-focused evasion techniques
• Tools - Offensive security tooling including C2 frameworks