{"id":1299,"date":"2023-12-05T10:29:29","date_gmt":"2023-12-05T02:29:29","guid":{"rendered":"https:\/\/www.ruianding.com\/blog\/?p=1299"},"modified":"2023-12-06T21:10:18","modified_gmt":"2023-12-06T13:10:18","slug":"attck-for-enterprise-defense-evasion","status":"publish","type":"post","link":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/","title":{"rendered":"ATT&CK for Enterprise – TA0005 Defense Evasion"},"content":{"rendered":"\n

Defense Evasion, Tactic TA0005 – Enterprise | MITRE ATT&CK\u00ae<\/a><\/p>\n\n\n\n

“Defense Evasion”<\/strong> is a tactic used in cyberattacks that involves methods and techniques to avoid detection by security defenses and to obfuscate or hide the presence of malware or malicious activities. The primary goal of defense evasion is to maintain persistence on a system or network without being detected<\/strong>. This allows attackers to carry out their objectives, whether it\u2019s data theft, system exploitation, or creating a backdoor for future access. This blog will explore and categorize specific alerts from Other security alerts<\/a> documentation.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\n\n\n\n

T1207 Rogue Domain Controller<\/a><\/h3>\n\n\n\n
External ID<\/strong><\/td>Name<\/strong><\/td>Sev.<\/strong><\/td>Description<\/strong><\/td><\/tr>
2028<\/td>Suspected DCShadow attack (domain controller promotion)<\/td>High<\/strong><\/td>Manipulation via Replication<\/strong>: DCShadow is a sophisticated attack where an adversary attempts to manipulate AD data by simulating the behavior of a domain controller.
Rogue Domain Controller<\/strong> \u2460: The attack involves creating a rogue domain controller on the network using the replication process. This is typically done from any machine in the network.
Detection in Defender for Identity<\/strong>: Microsoft Defender for Identity can trigger a security alert when it detects a machine in the network trying to register as a rogue domain controller.<\/td><\/tr>
2029<\/td>Suspected DCShadow attack (domain controller replication request)<\/td>High<\/strong><\/td>Manipulation via Replication<\/strong>: The DCShadow attack involves manipulating Active Directory data by simulating domain controller activities, particularly focusing on the replication process.
Active Directory Replication<\/strong>: In a normal setup, AD replication is a process where changes made on one domain controller are synchronized across other domain controllers in the network.
Detection in Defender for Identity<\/strong>: Microsoft Defender for Identity generates an alert when a suspicious replication request is made against a genuine domain controller. This is considered a strong indicator of a DCShadow attack.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

\u2460 A rogue domain controller<\/strong> is not officially set up or sanctioned by network administrators. It is created by attackers to carry out malicious activities within an AD environment. It can be considered “fake” in the sense that it is not part of the legitimate AD setup. However, it is usually fully functional and capable of performing many of the tasks<\/strong> that a legitimate domain controller would perform.<\/strong> In theory, network administrators should be able to see and identify a rogue domain controller through various administrative tools and logs. However, attackers often use sophisticated techniques to hide <\/strong>their activities.<\/p>\n\n\n\n

\n\n\n\n

Other Combined Tactics<\/h3>\n\n\n\n
External ID<\/strong><\/td>Name<\/strong><\/td>Sev.<\/strong><\/td>Description<\/strong><\/td><\/tr>
2025<\/td>Suspicious VPN connection<\/td>Medium<\/td>Behavioral Learning<\/strong>: Microsoft Defender for Identity employs a machine learning algorithm to understand and model each user’s typical VPN usage patterns. This learning is based on factors like which machines users log into and the locations from which they connect.
30 Days Observation<\/strong>: The system requires a minimum of 30 days from the first VPN connection to accurately learn a user’s behavior.
Minimum Activity<\/strong>: Additionally, there must be at least 5 VPN connections made by the user in the last 30 days to ensure the model has sufficient data for analysis.<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"

Defense Evasion, Tactic TA0005 – Enterprise | MITRE ATT&CK\u00ae “Defense Evasion” is a tactic used in cyberattacks that involves methods and techniques to avoid detection by security defenses and to obfuscate or hide the presence of malware or malicious activities. The primary goal of defense evasion is to maintain persistence on a system or network […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[50],"tags":[],"class_list":["post-1299","post","type-post","status-publish","format-standard","hentry","category-cybersecurity"],"yoast_head":"\nATT&CK for Enterprise - TA0005 Defense Evasion - \u6781\u7b80IT\uff5cSimpleIT<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ATT&CK for Enterprise - TA0005 Defense Evasion - \u6781\u7b80IT\uff5cSimpleIT\" \/>\n<meta property=\"og:description\" content=\"Defense Evasion, Tactic TA0005 – Enterprise | MITRE ATT&CK\u00ae “Defense Evasion” is a tactic used in cyberattacks that involves methods and techniques to avoid detection by security defenses and to obfuscate or hide the presence of malware or malicious activities. The primary goal of defense evasion is to maintain persistence on a system or network […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/\" \/>\n<meta property=\"og:site_name\" content=\"\u6781\u7b80IT\uff5cSimpleIT\" \/>\n<meta property=\"article:published_time\" content=\"2023-12-05T02:29:29+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-12-06T13:10:18+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/12\/image-6.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1822\" \/>\n\t<meta property=\"og:image:height\" content=\"782\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Ruian Ding\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ruian Ding\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/\"},\"author\":{\"name\":\"Ruian Ding\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"headline\":\"ATT&CK for Enterprise – TA0005 Defense Evasion\",\"datePublished\":\"2023-12-05T02:29:29+00:00\",\"dateModified\":\"2023-12-06T13:10:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/\"},\"wordCount\":493,\"publisher\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"image\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/12\/image-6.png\",\"articleSection\":[\"CyberSecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/\",\"url\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/\",\"name\":\"ATT&CK for Enterprise - TA0005 Defense Evasion - \u6781\u7b80IT\uff5cSimpleIT\",\"isPartOf\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/12\/image-6.png\",\"datePublished\":\"2023-12-05T02:29:29+00:00\",\"dateModified\":\"2023-12-06T13:10:18+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/#primaryimage\",\"url\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/12\/image-6.png\",\"contentUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/12\/image-6.png\",\"width\":1822,\"height\":782},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.ruianding.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"ATT&CK for Enterprise – TA0005 Defense Evasion\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#website\",\"url\":\"https:\/\/www.ruianding.com\/blog\/\",\"name\":\"Ruian's Tech Troubleshooting Toolbox\",\"description\":\"Debug the World.\",\"publisher\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"alternateName\":\"\u4e01\u777f\u5b89\u7684\u6280\u672f\u5206\u4eab\u535a\u5ba2\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.ruianding.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\",\"name\":\"Ruian Ding\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png\",\"contentUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png\",\"width\":284,\"height\":284,\"caption\":\"Ruian Ding\"},\"logo\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/\"},\"description\":\"I am currently a Support Specialist at NIO, focusing on cloud-related issues for NIO Power. Previously, at Microsoft Entra ID, I specialized in identity and access management (IAM), including device registration, Windows Hello for Business (WHfB), multi-factor authentication (MFA), and single sign-on (SSO). In addition to my core expertise, I have a strong foundation in Active Directory, Servers, Cloud Computing, Network Administration, and Front-end Web Development. This diverse technical skill set enables me to effectively handle a wide range of challenges in a fast-paced IT environment.\",\"sameAs\":[\"https:\/\/www.ruianding.com\"],\"url\":\"https:\/\/www.ruianding.com\/blog\/author\/ruiand\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"ATT&CK for Enterprise - TA0005 Defense Evasion - \u6781\u7b80IT\uff5cSimpleIT","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/","og_locale":"en_US","og_type":"article","og_title":"ATT&CK for Enterprise - TA0005 Defense Evasion - \u6781\u7b80IT\uff5cSimpleIT","og_description":"Defense Evasion, Tactic TA0005 – Enterprise | MITRE ATT&CK\u00ae “Defense Evasion” is a tactic used in cyberattacks that involves methods and techniques to avoid detection by security defenses and to obfuscate or hide the presence of malware or malicious activities. The primary goal of defense evasion is to maintain persistence on a system or network […]","og_url":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/","og_site_name":"\u6781\u7b80IT\uff5cSimpleIT","article_published_time":"2023-12-05T02:29:29+00:00","article_modified_time":"2023-12-06T13:10:18+00:00","og_image":[{"width":1822,"height":782,"url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/12\/image-6.png","type":"image\/png"}],"author":"Ruian Ding","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Ruian Ding","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/#article","isPartOf":{"@id":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/"},"author":{"name":"Ruian Ding","@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"headline":"ATT&CK for Enterprise – TA0005 Defense Evasion","datePublished":"2023-12-05T02:29:29+00:00","dateModified":"2023-12-06T13:10:18+00:00","mainEntityOfPage":{"@id":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/"},"wordCount":493,"publisher":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"image":{"@id":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/#primaryimage"},"thumbnailUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/12\/image-6.png","articleSection":["CyberSecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/","url":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/","name":"ATT&CK for Enterprise - TA0005 Defense Evasion - \u6781\u7b80IT\uff5cSimpleIT","isPartOf":{"@id":"https:\/\/www.ruianding.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/#primaryimage"},"image":{"@id":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/#primaryimage"},"thumbnailUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/12\/image-6.png","datePublished":"2023-12-05T02:29:29+00:00","dateModified":"2023-12-06T13:10:18+00:00","breadcrumb":{"@id":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/#primaryimage","url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/12\/image-6.png","contentUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/12\/image-6.png","width":1822,"height":782},{"@type":"BreadcrumbList","@id":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-defense-evasion\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.ruianding.com\/blog\/"},{"@type":"ListItem","position":2,"name":"ATT&CK for Enterprise – TA0005 Defense Evasion"}]},{"@type":"WebSite","@id":"https:\/\/www.ruianding.com\/blog\/#website","url":"https:\/\/www.ruianding.com\/blog\/","name":"Ruian's Tech Troubleshooting Toolbox","description":"Debug the World.","publisher":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"alternateName":"\u4e01\u777f\u5b89\u7684\u6280\u672f\u5206\u4eab\u535a\u5ba2","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.ruianding.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b","name":"Ruian Ding","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png","contentUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png","width":284,"height":284,"caption":"Ruian Ding"},"logo":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/"},"description":"I am currently a Support Specialist at NIO, focusing on cloud-related issues for NIO Power. Previously, at Microsoft Entra ID, I specialized in identity and access management (IAM), including device registration, Windows Hello for Business (WHfB), multi-factor authentication (MFA), and single sign-on (SSO). In addition to my core expertise, I have a strong foundation in Active Directory, Servers, Cloud Computing, Network Administration, and Front-end Web Development. This diverse technical skill set enables me to effectively handle a wide range of challenges in a fast-paced IT environment.","sameAs":["https:\/\/www.ruianding.com"],"url":"https:\/\/www.ruianding.com\/blog\/author\/ruiand\/"}]}},"_links":{"self":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/1299","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/comments?post=1299"}],"version-history":[{"count":8,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/1299\/revisions"}],"predecessor-version":[{"id":1377,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/1299\/revisions\/1377"}],"wp:attachment":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/media?parent=1299"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/categories?post=1299"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/tags?post=1299"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}