Defence Evasion
This table is designed as a comparative reference that connects offensive techniques with defensive visibility and controls. Rather than listing techniques in isolation, it shows the full lifecycle view: how an action is performed, why it is effective, how it can be detected, and how it can be mitigated..
Windows
Patch AMSI + ETW
Patch first bytes of AmsiScanBuffer (mov eax,0; ret) and EtwEventWrite → ret inside PowerShell/CLR process
AV loses script scanning; EDR loses ETW telemetry
Invoke-AmsiBypass.ps1, mimikatz misc::memssp, CS sleepmask BOF
Sysmon 11 (self-write), Event 1116 stops, Defender logs go silent
ASR rule 1121 (Block AMSI tampering), AppLocker for unsigned ps1, audit ETW provider state
Windows
Early-Bird APC Injection
Create suspended notepad.exe; queue APC shellcode before ntdll hooks load; resume process
Payload runs before EDR hooks and signatures
CS earlybird_inject.cna, Donut shellcode
Sysmon 8 (TargetImage notepad.exe), thread start <1ms after resume
Block child process creation, disable APCs via EDR
Windows
Parent PID Spoofing
Spawn process with PARENT_PROCESS=explorer.exe
Bypasses parent-child detection rules
BOF ppidspoof.o, sRDI loader
Sysmon 1 parent mismatch (Explorer parent, cmd start module)
Block network for non-browser processes spawned by Explorer
Windows
Timestomp
Copy timestamps from legitimate MS DLLs (e.g., 1999)
DFIR timeline analysis misses “new” files
timestomp.exe, Metasploit post module
$MFT record gaps, Prefetch timestamp mismatch
Correlate Prefetch + $UsnJrnl, file integrity monitoring
Windows
Defender Tampering
Disable Defender via Set-MpPreference or GPO
AV disabled without service removal
PowerShell bypass, DefenderSwitch.exe
Event 5007, 5010; Service 7036 (WinDefend stopped)
Enable Tamper Protection, lock local GPOs, Sysmon alerts
Windows
Sleep Mask / Stack Stomp
Encrypt RWX memory, modify TEB/PEB during sleep
Memory scanners see encrypted or zeroed payload
CS 4.10 profile, Sliver --sleepmask aes
Syscall bursts, Heaven’s Gate stub, working-set anomalies
Periodic memory dumps, YARA on decrypt stub, block RWX
Linux
LD_PRELOAD Hiding
Set LD_PRELOAD, execute payload, immediately unset variable
Hook library hidden from environment inspection
exec -a bash /usr/bin/payload
audit execve; empty /proc/pid/environ; extra .so in lsof
Restrict /etc/ld.so.preload, audit shared library loads
Linux
ptrace Detach
Attach with ptrace, inject shellcode, detach
Removes TracerPid, breaks EDR attachment
gdb -q --pid, injectso -d
auditd ptrace syscall without persistent tracer
kernel.yama.ptrace_scope=2, audit DETACH
Linux
Fake Shell History
PROMPT_COMMAND deletes last history entry, logs real commands elsewhere
.bash_history shows no activity
Custom PROMPT_COMMAND
Empty history, unusual env variable
Audit TTY keystrokes, make shell configs immutable
Linux
iptables Concealment
Insert hidden rule with comment, strip from iptables-save
Admin sees clean rules, C2 still allowed
iptables -I, sed
Rule counter mismatch vs iptables -S
Periodic rule diffing, nftables enforcement
Cross-Platform
Domain Fronting
TLS SNI = CDN domain; HTTP Host = attacker domain
Domain blocklists miss C2 traffic
Caddy, Azure Front Door
JA3 mismatch, secondary TLS inside CDN
Enforce TLS inspection, block SNI/Host mismatch
Cross-Platform
DoH + WireGuard
Tunnel via WireGuard; fallback to DNS over HTTPS
DoH blends with HTTPS traffic
iodine, dnscat2, Sliver --wg
Large /dns-query POSTs, JA3 mismatch, UDP 51820 spikes
Block unknown DoH endpoints, rate-limit WireGuard
Last updated