Objective:

Avoid detection by security tools, administrators, or forensic analysis. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware.

• ID: TA0005

  • https://attack.mitre.org/tactics/TA0005/

Linux Context:

Defense evasion on Linux manipulates logs, processes, and system behavior. Attackers clear logs with echo > /var/log/auth.log or shred or disable logging via systemctl stop rsyslog. Rootkits (e.g., Reptile) hide processes and files by hooking kernel functions. Malicious binaries masquerade as legitimate ones (e.g., naming a backdoor nginx), while fileless execution via /proc/self/mem or memfd_create() evades disk-based detection. Disabling SELinux setenforce 0 or AppArmor weakens protections. In cloud environments, attackers delete CloudTrail logs or spoof container metadata.

Key Techniques:

• Indicator Removal (T1070): Truncating logs or killing auditd.

• Rootkit (T1014): Deploying a kernel-level rootkit.

• Masquerading (T1036): Renaming malware to httpd.

Flow Example:

• An attacker runs ln -sf /dev/null /var/log/syslog to nullify logs or uses a rootkit to hide a mining process.

Defender Strategies:

• Enable immutable logging (chattr +a), deploy rootkit hunters (e.g., chkrootkit), and monitor SELinux status. Use behavioral analytics to detect masquerading.

The current list of corresponding EDRmetry test definitions includes:

• EDR-T6108 - ASM Injection over /proc/PID/mem

• EDR-T6239 - Bash Anti-Forensic Log Wiper

• EDR-T6064 - Bash Script Obfuscation

• EDR-T6089 - Bashrc File Hiding with ls Alias

• EDR-T6156 - Block rsyslogd logging

• EDR-T6167 - BOF Loading with BOF-Stager

• EDR-T6222 - Change Shell Optional Behavior

• EDR-T6005 - Clear kernel ring buffer

• EDR-T6221 - Clear Paging Cache

• EDR-T6312 - Clear from /var/log/secure

• EDR-T6088 - Copy/rename commands to exotic directory

• EDR-T6043 - Disable .bash_history

• EDR-T6193 - Disable ASLR

• EDR-T6034 - Disable EDR/XDR sensor

• EDR-T6219 - Disable SELinux

• EDR-T6214 - Disable syslog

• EDR-T6080 - Disable/modify iptables rules

• EDR-T6268 - eBPF Attach prog to eth1 with XDP

• EDR-T6008 - eBPF Hide PID with bad-bpf

• EDR-T6267 - eBPF Hide PID/file with evilBPF

• EDR-T6159 - eBPF Rename Loaded LKM module

• EDR-T6253 - eBPF socket/proc/audit/bpftool Hider

• EDR-T6336 - eBPF Caracal bpf/program Hider

• EDR-T6287 - eBPF Map Attack

• EDR-T6245 - Enable Unprivileged BPF

• EDR-T6121 - Execute fileless ELF with fee

• EDR-T6067 - Execute Invisible SSH notty session

• EDR-T6078 - Execute masscan/xmring via PRoot as BYOF

• EDR-T6321 - Ezuri ELF Crypter

• EDR-T6133 - File immutable with chattr

• EDR-T6132 - File immutable with mount

• EDR-T6188 - Fileless Execution with memexec

• EDR-T6037 - Fileless memfd_create via Python3

• EDR-T6361 - Fileless memfd_create via Python3 - no pts attached

• EDR-T6349 - Fake Process Command Line with Perl

• EDR-T6296 - GTFOArgs - Command and shell

• EDR-T6295 - GTFOArgs - File read

• EDR-T6297 - GTFOBINS - Library Load

• EDR-T6045 - Hidden Executable File Creation in /dev/shm

• EDR-T6098 - Hiding Process Name with /etc/ld.so.preload

• EDR-T6351 - Hide from cat with ANSI escapes

• EDR-T6353 - Hide logs with mount overlay

• EDR-T6344 - Hiding files within an existing mount namespace

• EDR-T6330 - Hiding Payload in Extended File Attributes

• EDR-T6227 - Inotify Trigger Action on File Access

• EDR-T6248 - IPTables Drop outbound traffic

• EDR-T6291 - Indirect File Read with FD

• EDR-T6322 - io_uring Bypassing libc hooks

• EDR-T6310 - io_uring Curing Rootkit

• EDR-T6328 - io_uring RingReaper Agent

• EDR-T6142 - LD_PRELOAD Process ENV Tampering

• EDR-T6149 - LD_PRELOAD Shared Library shell_reverse_tcp

• EDR-T6329 - LD_PRELOAD Toy Rootkit

• EDR-T6324 - LD_PRELOAD vbackdoor

• EDR-T6107 - LKM Remote Loading

• EDR-T6166 - Load ELF object in memory via ELFLoader

• EDR-T6286 - Libc Hooking with Auto-Color Malware

• EDR-T6081 - Modify /etc/hosts

• EDR-T6053 - mount --bind process hiding

• EDR-T6249 - mount -o remount

• EDR-T6320 - Obfuscate Go binaries

• EDR-T6237 - Parent-child Obfuscated Process Hierarchy

• EDR-T6241 - Patch Dynamic Linker

• EDR-T6127 - Process Injection over dd+/proc/PID/mem

• EDR-T6141 - Process Name Masquerading with argv[0] overwrite

• EDR-T6038 - Process Name Masquerading with exec

• EDR-T6140 - Process Name Masquerading with prctl()

• EDR-T6345 - Process Name Masquerading with mount namespace

• EDR-T6032 - Proxy Execution with DDexec

• EDR-T6111 - Ptrace Process Masq with Zapper

• EDR-T6256 - Ptrace-less Process Injection with dlinject

• EDR-T6238 - ptrace() based Anti-Analysis

• EDR-T6028 - Ptrace() Shared Object Process Injection in C

• EDR-T6348 - Ptrace() Shared Object Process Injection in Rust

• EDR-T6244 - Python Userland Exec

• EDR-T6356 - Rust elf_loader

• EDR-T6220 - Reboot via Kernel System Request

• EDR-T6337 - Sickle - Payload Development Framework

• EDR-T6092 - Space before command

• EDR-T6182 - Suspicious File/Directory Location

• EDR-T6333 - Sleep Obfuscation with SilentPulse

• EDR-T6096 - Terminate/stop syslog/EDR Agent

• EDR-T6207 - Timestomping - Modifying the system date

• EDR-T6054- Timestomping - touch

• EDR-T6072 - Wipe Filesystem with shred

• EDR-T6106 - Zombieant Preloading a decoy binary

• EDR-T6292 - Avoid Filename and Filepath Matching

• EDR-T6363 - Base64 Payload as a filename inside ZIP

• EDR-T6279 - Binary Runtime Crypter in Bash

• EDR-T6275 - Create file with Unicode zero-width space

• EDR-T6294 - Disable EDR with LKM cleanup_module

• EDR-T6025 - Encrypted ELF implant

• EDR-T6331 - zpoline System Call Hook

• EDR-T6382 - LKM Hiding taint message from dmesg

• EDR-T6375 - K8S - Pod Name Similarity