Defense Evasion

Attackers can have more time to complete or to postpone the attack, or they can extend the attack duration if the resource owner does not discover it. If defense or detection systems are in place, they can attempt to disable or to avoid them.

ID: TA0005
Created: 25 August 2022
Last Modified: 14 April 2023

Techniques

Techniques: 4
ID Name Description
T1562 Impair Defenses Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This involves impairing preventative defenses and detection capabilities that defenders can use to audit activity and identify malicious behavior.
.001 Triggering the clear mode An attacker can trigger the clear mode accessing TC or consuming its resources, , to disable or limit the security level of the spacecraft. If a ‘clear mode’ is implemented, the conditions under which, and by which, it is activated should be carefully analyzed, as those might introduce major security vulnerabilities.
T1070 Indicator Removal on Host Adversaries may delete or modify artifacts generated on a host system to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions.
.001 Clear Log/Command History If a log is available, an attacker can delete logging onboard the spacecraft to hide illegitimate operations (a TC log service is usually not implemented).
T2040 Masquerading Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools
T2041 Pre-Os Boot Pre-OS Boot can also be abused to evade defensive mechanisms that are potentially in place at higher level, i.e. at application layer.
.001 System Firmware Exploitation Persistence at a pre-OS level can be gained modifying the firmware in a resource.System firmware is quite static, and it doesn’t usually provide detections capabilities. A firmware level manipulation can remain unnoticed until next phases of the attack.