Bypassing detection tools is a hacker’s routine these days. Despite the incredible development of defense technologies, attackers often go undetected for weeks or months, earning them the Advanced Persistent Threat (APT) label.
Classic security tools are necessary, but less and less sufficient. Because of this, most security companies are now focusing on behavioral analytics and active endpoint protection as evasion becomes easier and easier.
For example, intrusion detection tools still rely somewhat on huge databases containing specific signatures, but even if those databases are regularly updated, hackers can forge custom packages to avoid staying on the radar. As a result, more and more security tools rely on AI and ML techniques to detect signs of zero-day threats.
We’ll discuss both common and uncommon evasion techniques – and practical ways for businesses to protect themselves.
Start with the MITER ATT&CK framework
The MITER ATT&CK framework is one of the best knowledge bases available because it documents in detail how attackers behave and think.
defensive flight is described in detail, with practical examples and dedicated pages for each technique. At the time of writing, there are 40 known techniques attackers can use to evade detection, ranging from classic obfuscation to sideways swipes to more sophisticated approaches.
If you have no idea how to spot such sneaky steps, ATT&CK is a great resource and even advanced teams use it daily as many security vendors map the knowledge base to perform analysis.
Also read: A Few Clicks Away from Data Disaster: The State of Corporate Security
The top techniques of hackers
The following workarounds are widely used:
- Disable security tools
- masquerade (tricked file type, scheduled tasks, renamed hacking software, etc.)
- Malicious Code Obfuscation
Evasion helps the attack succeed. Hackers can remain undetected for extended periods of time or for a calculated window of time. We’ve seen various attacks in the headlines over the last few months where the attackers were fully aware that they would eventually be detected, but only took a few hours to operate.
Many security vendors can easily block known hacking software like Mimikatz, but hackers can significantly lower the detection rate simply by renaming the file so that the invocation command does not trigger any alerts.
More advanced attackers can change a few lines in the source code to reduce the detection rate, and most antivirus programs will not detect this.
It’s also possible to play around with registry entries to completely disable built-in monitoring using PowerShell commands like the following:
Set-MpPreferences -DisableRealTimeMonitoring $true
The rapid development of evasive techniques
Evasive techniques have evolved rapidly. The earliest techniques were fake malware signatures or sleep timers (delayed execution). Now hackers focus more on EDR bypass and LOTL attacks.
LOTL stands for “Living off the Land”, which mainly consists of using native tools found on the target system – like PowerShell – for attacks. In other words, the attackers hack into the victim’s computer systems and disguise their actions by using legitimate processes.
This approach is commonly used in cyber espionage, but script kiddies and less advanced hackers could also use it as dark open source is on the rise and hacking is becoming easier.
AppLocker mechanisms and strict permission management can mitigate LOLbins (Local Binaries) attacks.
Memory analysis is a bit more technical but effective in detecting common LOLBins used to deliver malware such as: B. Regsvr32, a Windows utility that can register or unregister DLL files.
Examples of IDS and IPS bypass
Intrusion detection systems (IDS) and intrusion prevention systems (IPS) — often combined as intrusion detection and prevention systems (IDPS) — can flag suspicious network packets by comparing them to a threat database populated with known signatures used in various cyberattacks were collected. IDS only monitors packets while IPS can automatically reject them.
Many attackers use Nmap to discover vulnerable live hosts, but IDS and IPS can detect such active scans and trigger immediate alerts.
However, you can pass specific options to Nmap commands that fragment packets (-f option), manipulate metadata, or send forged data that is not matched against known signatures.
Also read: Nmap Vulnerability Scanning Made Easy: Tutorial
Disable security tools
Disabling security tools is a practical approach. The following Windows utilities and features can be disabled:
- task manager
- UAC (User Access Control to run tasks with administrator privileges)
- CMD (Invite Command)
- Windows security
All have associated registry entries that can be modified. Alternatively, it is possible to change the local access policies.
This is where EDR and UEBA can detect unwanted changes in security policies and unusual events – but watch out for attempts to do so Bypass EDR systems to.
Evasion can also use macOS and Linux
Most demos and POCs involve PowerShell commands and Windows registry modifications.
In fact, Windows is still the most popular operating system, but macOS and Linux systems are not immune to circumvention techniques — and Linux is the foundation of many critically important enterprise systems. Hackers can also use LOLBins in such environments, which sometimes causes headaches for researchers trying to analyze the situation.
Attackers can implant persistent agents and kill Activity Monitor (the macOS equivalent of Task Manager in Windows) to prevent users from checking resources, just like what happened in OSAMIner Actions.
Linux shell scripts can uninstall cloud monitoring agents, disable firewalls, or rename common utilities like wget and curl that can download resources from remote IPs.
All endpoints should be monitored regardless of operating system.
Check out our selection for the Top EDR tools
Malicious payloads can hide in unexpected files
Hackers love classic file types like PDFs because they don’t look suspicious like .exe (executable), .jar (Java) or zip archives.
Well-known techniques such as steganography can be used to conceal malicious payloads even in seemingly innocuous images that bypass email security gateways.
Embedded macros in Word and Excel documents are also massively used to bypass antivirus software and other protections and eventually install malware. The only limitation for attackers is that the user usually has to click “activate content” (e.g. in Microsoft Office), so macro malware is theoretically much easier to detect and stop. However, cybersecurity awareness is essential to prevent employees from opening such files in the first place.
Indeed, hackers managed to bypass default macro security by using non-malicious documents to trick victims into disabling security warnings and enabling macros which are normally disabled in Microsoft Office. These documents were used to download other documents containing macro code.
Steganographic documents are difficult to detect, but CDR (Content Disarm and Reconstruction) can automatically remove unapproved objects in files.
RATs (Remote Access Trojans) can have various purposes, from spying/monitoring on victim’s activities (e.g. keystrokes, screenshots, sensitive information) to identity theft and malware distribution.
It is not uncommon for hackers to use infected computers to attack other computers, using victims’ addresses as a cover for criminal activity.
Also, RATs are very effective against antivirus software, so using IDPS technology is recommended.
Nothing replaces human analysis – but it can be fooled
Security tools do a great job, especially against common threats. However, skilled opponents often manage to avoid them.
They can anticipate the work of security analysts, perhaps leading researchers, and hide malicious commands in legitimate system commands and directives.
These command lines are often quite long and are used by very few specialists working at low level, such as with kernels or assembly code. Even if the analyst is intrigued by such unusual lines in security logs, Google will likely point out that it’s a perfectly legitimate process.
You can’t fight something you don’t know, and most security tools focus on known attacks and technologies, not highly complex scenarios specifically designed to lure defenders with social engineering and noisy data.
In this case, understanding the tactics and procedures is paramount. Threat hunting, endpoint logs, and audits can save the day.
Read next: How to create and run a threat hunting program