☁️
CTHFM: Azure
  • Welcome
  • Getting Started
    • Account Setup
      • Account Creation Instructions
  • Azure Fundamentals
    • Azure Fundamentals Overview
      • Azure Documentation
      • Azure Entra
      • Azure Hierarchy
      • Identities
      • Azure Entra Roles
      • Azure RBAC
      • Azure Licensing Overview
        • Azure Entra ID Premium Licenses Comparison
      • Azure Shared Responsibility Model
      • Azure Frameworks
      • Azure Security Services
      • Conditional Access Policies
        • How Conditional Access Policies Work
        • Benefits of Conditional Access
        • Best Practices for Conditional Access
        • Conditions for Conditional Access
        • Conditional Access Controls
        • Sign-In Risk and Identity Protection
        • Conditional Access Session Control
        • Name Locations IP Location
      • Azure Quotas
      • Azure Tokens
        • Access Tokens
        • ID Tokens
        • Refresh Tokens
          • Invalidate Refresh Tokens
        • Primary Refresh Tokens
        • Continuous Access Evaluation (CAE)
        • Token Protection: Conditional Access (Public Preview)
  • Azure CLI
    • Azure CLI Overview
      • Azure CLI: Linux
      • Azure CLI: Windows
      • Azure CLI: MacOS
  • KQL
    • KQL Overview
      • KQL Introduction
      • Data Types
      • Quick Reference
      • Render
      • Basic Queries
  • Powershell
    • PowerShell for Azure
      • Powershell Documentation
      • Powershell Basics
      • Understanding Powershell Variables
      • Understanding Cmdlets
      • Powershell Console & ISE
      • Powershell: Microsoft Graph SDK
        • Permission Types
        • Authentication Examples
        • Cmdlet Reference
        • Permission Reference
        • Microsoft Graph PowerShell Transition
        • Security API References
      • Powershell: Entra Module
        • Module Reference & Getting Started
      • Powershell: Azure Module
        • Installation Instructions
        • Powershell Azure CLI: Windows
        • Powershell Azure CLI: Linux
        • Powershell Azure CLI: MacOS
        • Example Azure Cmdlets
  • Bicep
    • Bicep File Structure
    • Variable Types
  • Sigma
    • Sigma Rule Structure
  • Azure Logging References
    • Logging
      • Log Retention Strategies
      • Azure Log Types
      • Azure Activity Logs
        • Administrative Event Schema
        • Service Health Notification Schema
        • Resource Health
        • Alert Category
        • Autoscale
        • Security
        • Recommendation
        • Policy
      • Entra ID Logging
        • Identity Based Logs
          • Audit Logs
          • Sign-In Logs
            • AADNonInteractiveUserSignInLogs
            • AADManagedIdentitySignInLogs
            • AADServicePrincipalSignInLogs
            • First Party Sign-In Activity
          • Provisioning Logs (AADProvisioningLogs)
          • Microsoft Graph Activity
          • Identity Protection
            • Risk Detections
            • AADRiskyServicePrincipals
            • AADRiskyUsers
            • AADUserRiskEvents
            • AADServicePrincipalRiskEvents
        • Additional Entra ID Logs
      • Azure Key Vault
        • Azure Key Vault Logging Overview
      • Network Watcher
        • RBAC Permissions
        • Flow Log Types
          • NSG Flow Log Schema
          • VNET Flow Log Schema
        • Enabling Logs
          • NSG Flow Logs
          • VNET Flow Logs
        • Packet Capture
          • Packet Capture: VM
          • Packet Capture: Scale Sets
      • Compute Resources
        • Azure Monitor Agent
        • VM Insights
          • VM Insights Tables
      • Storage Accounts
        • Storage Account Logging
          • File
            • Enable StorageFileLogs
            • StorageFileLogs
          • Blob
            • Enable Blob Logging
            • StorageBlobLogs
          • Queue
            • Enable Queue Logging
            • StorageQueueLogs Table
          • Table
            • Enable Table Logging
            • StorageTableLogs Table
      • Azure App Service
        • Log Types
        • Enabling Logging
      • Azure Monitor
        • Resource Logs
          • Resource Log Top Level Documentation
        • Log Analytics Workspace
          • Setup
        • Workbooks
        • Dashboards
        • Alerts
        • Azure Monitor Documentation
      • Defender for Cloud
      • Intune
      • Sysmon
      • Purview Audit Log Schema
  • Threat Hunting
    • Threat Hunting in Azure
      • Threat Hunting Introduction
      • Threat Hunting Process
        • Hypothesis Generation
        • Investigation
        • Identification
        • Resolution & Follow Up
      • Pyramid of Pain
      • Azure Threat Hunting Ideas
      • Hands On Threat Hunting Examples
      • OSINT Feeds
  • Microsoft Defender TI
    • Microsoft Defender Threat Intelligence
      • Data Sets
      • Reputational Scoring
      • Analyst Insights
      • Microsoft Defender TI: Copilot Integration
  • MITRE Att&ck
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Data Sources
      • MITRE Att&ck Mitigations
      • MITRE Att&ck: Azure
        • MITRE Att&ck Identity Provider Matrix
        • MITRE Att&CK: Azure Security Control Mapping
    • Azure MITRE Frameworks
      • Identity Provider Matrix (Entra ID)
        • Initial Access: TA0001
          • Defensive Strategies: TA0001
        • Execution: TA0002
          • Defensive Strategies: TA0002
        • Persistence: TA0003
          • Defensive Strategies: TA0003
        • Privilege Escalation: TA0004
          • Defensive Strategies: TA0004
        • Defense Evasion: TA0005
          • Defensive Strategies for TA0005
        • Credential Access: TA0006
          • Defensive Strategies for TA0006
        • Discovery: TA0007
          • Defensive Strategies: TA0007
        • Lateral Movement TA0008
          • Defensive Strategies for TA0008
      • IAAS Matrix
        • Initial Access TA0001
          • Defensive Strategies
        • Execution TA0002
          • Defense Strategies
        • Persistence: TA0003
          • Defensive Strategies
        • Privilege Escalation TA0004
          • Defensive Strategies
        • Defense Evasion TA0005
          • Defensive Strategies
        • Credentialed Access TA00060
          • Defensive Strategies
        • Discovery TA00007
          • Defensive Strategies
        • Lateral Movement TA0008
          • Defensive Strategies
        • Collection TA0009
          • Defensive Strategies
        • Exfiltration TA0010
          • Defensive Strategies
        • Impact TA0040
          • Defense Strategies
      • Containers
      • Azure Attack Mappings
  • Microsoft Resources
    • Microsoft Incident Response Ninja Hub
    • Microsoft Defender XDR Ninja Hub
  • Azure Threat Research Matrix (ATRM)
  • Security Research & Resources
    • Azure Goat
    • Azure Security Research
      • Azure Related CVEs
  • Defender XDR
    • Defender XDR Overview
    • Defender XDR Licensing
    • Defender XDR Default Retention
    • Defender XDR Advanced Hunting Table Schemas
    • Automated Response Requirements
    • Supported Response Actions
  • Azure Sentinel
    • Sentinel Overview
    • Azure Sentinel Deployments
    • Supported Data
    • Workbook, Playbook, Notebook Comparison
    • Sentinel Workbooks
    • Entities
    • User and Entity Behavior Analytics
    • Anomaly Detection
    • Mult-Stage Attack Detection
    • Sentinel: Az CLI
  • Microsoft Defender
    • Microsoft Defender for Cloud References
    • Defender for Cloud: Az CLI
  • Azure Policy
    • Azure Policy
    • Azure Policy Components
    • Azure Policy Rules
    • Scope Azure Policy
    • Policy Assignments
    • Policy Effect
    • Initiative Definition
    • Policy Parameters
    • Remediation Task Structure
    • Use Cases for Azure Policy
    • Azure Policy: Az CLI
  • Intune
    • Intune Overview
    • Intune Licensing
    • Intune API Permission Scopes
    • Intune Sample Script Resources
  • Intune Logging
    • Configure Logging
    • Logging Schema References
    • Intune Queries and Resources
  • Windows Host Security
    • Windows System Architecture and OS Fundamentals
    • SysInternals
    • Basic vs Advanced Security Auditing
    • Sysmon
  • Adversary Emulation
    • AzureHound
    • AADInternals
      • Install
    • RoadTools
      • Install
    • Oh365UserFinder
    • GraphRunner
  • Incident Response
    • Incident Response
      • Azure IR Program Development Cheat Sheet
      • Azure IR Playbooks (MS Guidance)
      • Ransomware (MS Guidance)
  • Automation
    • Automation Overview
    • Logic Apps
      • How Logic Apps Work
      • Logic App Types
      • Triggers
      • Connectors
      • Conditional Logic and Control Flow
      • APIs in Logic Apps
      • Handling Large Workflows with Stateful Logic Apps
      • External Service Integration
      • Securing, Managing, and Scaling Azure Logic Apps
      • Logic Apps: Az CLI
  • Packet Analysis
    • Wireshark Cheatsheet
    • TShark Cheatsheet
    • TCPDUMP Cheatsheet
    • Protocol Analysis Basics
    • HTTP Response Code Cheatsheet
    • RFC Protocol Mappings
    • PCAP Acquisition
  • Detection Lab
    • Detection Lab Introduction
    • Account Creation Instructions
    • Enable MFA Within Azure Tenant
    • Create an Azure Admin With Cloud Shell
    • Setup and Install Instructions
  • VSCode and Code Setup
  • Deploying Code
  • Enabling Logs for Log Analytics Workspace
  • Logging Into Windows VM
  • Verifying Logs in Log Analytics Workspace
  • Creating Detections: Azure Monitor
  • Cost Management: Billing Alarms
  • AzurePolicy-IAC
Powered by GitBook
On this page
  • Overview
  • 1. Disabling or Modifying Security Controls
  • 2. Bypassing Authentication or Conditional Access
  • 3. Exploiting Trusted Tools for Evasion
  • 4. Obfuscating Command Execution
  • 5. Deleting or Modifying Logs to Cover Tracks
  • 6. Abusing Policies and Configuration Settings for Evasion
  • 7. Exploiting Trusted Relationships to Evade Monitoring
  • 8. Encrypting or Encoding Payloads to Avoid Detection
  • 9. Disguising Malicious Code as Normal Services or Accounts
  • 10. Abusing Service Principals and Automation Accounts for Evasion
  • Summary of Key Concepts with Techniques for TA0005
  1. MITRE Att&ck
  2. Azure MITRE Frameworks
  3. Identity Provider Matrix (Entra ID)

Defense Evasion: TA0005

Overview

The Defense Evasion tactic focuses on hiding malicious activities to avoid detection by security tools and analysts. In Azure environments, attackers use a variety of techniques, such as disabling logging, bypassing multi-factor authentication, manipulating policies, and abusing trusted tools to stay under the radar. Below are the key concepts with associated techniques, sub-techniques, and Azure-specific examples

1. Disabling or Modifying Security Controls

Technique: T1562 - Impair Defenses Attackers disable logging, security alerts, or monitoring tools to avoid detection.

  • T1562.001 - Disable or Modify Tools Azure Example: Disable Azure Defender alerts to evade monitoring.

    az security pricing create --name VirtualMachines --tier 'Free'

  • T1562.004 - Disable Event Logging Azure Example: Use PowerShell to stop or clear Azure AD audit logs.

2. Bypassing Authentication or Conditional Access

Technique: T1556 - Modify Authentication Process Attackers alter or bypass authentication flows, such as MFA, to gain persistent access.

  • T1556.004 - Add MFA Bypass Rule Azure Example: Modify conditional access policies to exclude specific IPs from MFA requirements.

    Set-AzureADPolicy -Id <PolicyID> -Definition "{... MFA Exclusion Config...}"

3. Exploiting Trusted Tools for Evasion

Technique: T1218 - Signed Binary Proxy Execution Attackers use legitimate signed tools to execute malicious commands, bypassing security.

  • Azure Example: Use MSBuild.exe on a Windows VM to launch payloads while avoiding security alerts.

    <Project>
  <Target Name="RunPayload">
    <Exec Command="cmd.exe /c calc.exe" />
  </Target>
</Project>

4. Obfuscating Command Execution

Technique: T1055 - Process Injection Attackers hide malicious code within legitimate processes to evade detection.

  • Azure Example: Inject malicious code into a PowerShell process running on a compromised Azure VM to blend into normal operations.

5. Deleting or Modifying Logs to Cover Tracks

Technique: T1070 - Indicator Removal on Host Attackers remove logs and other traces to prevent forensic investigations.

  • T1070.004 - File Deletion Azure Example: Delete Azure Activity Logs that contain evidence of privilege escalation.

6. Abusing Policies and Configuration Settings for Evasion

Technique: T1564 - Hide Artifacts Attackers manipulate policies or settings to hide their activities or artifacts.

  • T1564.003 - Hidden Window Azure Example: Run malicious code in the background using hidden processes within Automation Accounts to avoid user detection.

7. Exploiting Trusted Relationships to Evade Monitoring

Technique: T1199 - Trusted Relationship Attackers abuse multi-tenant or federated relationships to avoid detection.

  • Azure Example: Use a trusted tenant's permissions to access sensitive resources without triggering alerts in the victim’s environment.

8. Encrypting or Encoding Payloads to Avoid Detection

Technique: T1027 - Obfuscated Files or Information Attackers use encryption or encoding to make their payloads less detectable by security tools.

  • Azure Example: Deliver Base64-encoded PowerShell scripts that bypass antivirus scanning.

    powershell.exe -EncodedCommand <Base64Payload>

9. Disguising Malicious Code as Normal Services or Accounts

Technique: T1036 - Masquerading Attackers disguise malicious code or processes as legitimate services.

  • T1036.005 - Match Legitimate Name or Location Azure Example: Deploy a malicious automation task named “Microsoft-Update” to blend in with legitimate tasks.

10. Abusing Service Principals and Automation Accounts for Evasion

Technique: T1098 - Account Manipulation Attackers manipulate service principals or automation accounts to evade detection.

  • Azure Example: Add extra credentials to a service principal, allowing hidden access to resources.

Summary of Key Concepts with Techniques for TA0005

Key Concept

Technique

Azure Example

Disable Security Controls

T1562 - Impair Defenses

Disable Azure Defender alerts to evade monitoring

Bypass Authentication

T1556 - Modify Authentication Process

Modify conditional access policies to bypass MFA

Use Trusted Tools for Evasion

T1218 - Signed Binary Proxy Execution

Use MSBuild.exe to execute malicious code undetected

Obfuscate Command Execution

T1055 - Process Injection

Inject malicious code into legitimate PowerShell processes

Delete or Modify Logs

T1070 - Indicator Removal on Host

Delete Azure Activity Logs to cover privilege escalation

Hide Artifacts via Policies

T1564 - Hide Artifacts

Run hidden tasks in Automation Accounts

Exploit Trusted Relationships

T1199 - Trusted Relationship

Use tenant trust to access resources without detection

Encode or Encrypt Payloads

T1027 - Obfuscated Files or Information

Use Base64-encoded scripts to evade antivirus scanning

Masquerade Malicious Code

T1036 - Masquerading

Deploy malicious tasks named after legitimate services

Abuse Service Principals

T1098 - Account Manipulation

Add hidden credentials to a service principal

Last updated 18 days ago