Tony Lambert Phil Hagen Greg Foss

MITRE ATT&CK Deep Dive: Defense Evasion


You can’t detect what you can’t see.

Red Canary, Carbon Black, and MITRE ATT&CK shine a light on defense-evading malware. This informative webinar shows a comparative across operating systems, sharing examples of defense evasion in Windows, macOS, and Linux environments.

You will learn:

  • Real-world insights into what security teams are facing in their environments
  • Examples of prominent, defense-evading malware
  • Common adversary techniques like scripting, masquerading, code obfuscation, and disabling security tools
  • Actionable advice on how to hunt for and build detection strategies around defense evasion

00:34 Presenter Introduction

02:22 Webinar Agenda

03:35 MITRE and Red Canary’s Top Technique By Tactic

04:50 “Three of those techniques in our top 20 were Disabling Security Tools, Obfuscated Files or Information, and Masquerading.”  -Katie

06:54 A Supporting Tactic

08:59 “As adversaries are doing these other goals, they are trying to evade defense and that gives us another opportunity to try to detect them.” -Katie

09:17 Brief History of Defense Evasion

09:30 “Even though the tactic itself is very old, there have been a lot of evolutions and morphing of that capability over the years.” -Phil

12:09 Sample #1: TrickBot

12:43 TrickBot Defense Evasion Techniques

13:19 “I talked about those supporting tactics that defense evasion is. It’s PowerShell for the execution, and the defense evasion side is disabling security tools.” -Katie 

14:53 “In the last 30 days, 86% of the times we saw this, it was TrickBot, it was malicious. It is something that becomes a very high-fidelity, powerful alert for us.” -Tony

19:00 Recognizing the Technique

19:20 “That’s what it all comes down to at the end of the day. Understanding where your assets are, where your most critical data is, and building out from there.” -Greg

21:22 Sample #2: Shlayer

22:00 “It’s an interesting sort of software that floats somewhere between adware and malware.” -Tony

25:45 “We reversed the malware and started looking at what it actually does once it has infected the system.” -Greg 

25:55 Defense Evasion Techniques

26:09 “When we looked across our datasets here just looking at xxd, base64, and openssl in this order progressively, every sample we found came back to a known Shalyer infection.” -Greg

27:11 Unique Use of curl

27:56 “The way this malware worked was everytime we saw these requests going out, there were multiple hops, like a minimum of four per request.” -Greg

29:18 “Marrying up your EDR data, maybe your SIM data, and your IDS data, using all of that together to correlate this activity, then you can start to build some high-fidelity detections.” -Greg

33:27 Recognizing the Technique

34:22 “On the Windows side in terms of deobfuscation, a common technique we are starting to see is certutil.” -Katie

37:42 “Having some of these other layers of characterization to plaster on top of that takes you from a ‘maybe’ to a ‘definitely’ very quickly.” -Phil

39:00 Sample #3: Rocke

39:53 “Rocke is an adversary that gets into cryptojacking. The idea behind cryptojacking is an adversary compromises a web server or compromises some sort of publicly available service on the internet. They subvert the system it is running on for their own crypto-mining processes.” -Tony

42:09 “If you went to do a search ‘what is kworker on my file system,’ you’re going to encounter a bunch of forums and documentation saying kworker is a kernel thread—don’t mess with it. They bank on you having that fear, uncertainty and doubt of what is running on your system. -Tony 

45:17 Further Masquerading in Windows

45:23 “Basically the same concept, but now we are shifting what we learned on a Linux side onto a Windows environment.” -Phil

47:06 Recognizing the Technique

47:07 “Recognizing that becomes something that requires a whole lot of memorization, maybe some tooling that will allow you to frame out what is expected and what’s normal with certain file names, and then go beyond that looking for things in unusual directory locations.” -Phil

54:30 Key Takeaways

54:34 “Adversaries aren’t going to stop trying to evade the defensive measures that we put into place.” -Phil

55:00 “If we can build an approach to detecting this tactic, then it’s going to pay off a lot better than if we are looking at individual command lines.” -Phil 

58:00 Questions and Answers

01:00:35  Question 1: What’s the value of network recording?

01:01:48 “It becomes a very good end-of-the-road type of investigative medium.” -Phil 

01:02:47  Question 2: Do you have a best top level entry to ATT&CK?

01:03:00 “We recently added a Getting Started page for ATT&CK.MITRE.org site.” -Katie 

You can also learn more about getting started with ATT&CK here.

Defense Evasion and Phishing Emails
Defense evasion: why is it so prominent & how can you detect it?
MITRE ATT&CK Deep Dive: Lateral Movement
MITRE ATT&CK Deep Dive: Persistence