Chapter 27 Further Reading: Evasion and Anti-Detection Techniques

Essential References

MITRE ATT&CK Defense Evasion

  • MITRE ATT&CK Tactic TA0005 - Defense Evasion. attack.mitre.org/tactics/TA0005/. The authoritative catalog of defense evasion techniques with real-world procedure examples, detection guidance, and mitigation strategies. Start here for a structured understanding of the evasion landscape.

LOLBAS and GTFOBins Projects

  • LOLBAS Project. lolbas-project.github.io. The Living Off the Land Binaries, Scripts, and Libraries project catalogs Windows binaries that can be used for offensive purposes. Each entry includes the binary name, function type, command examples, and detection recommendations.
  • GTFOBins. gtfobins.github.io. The Linux equivalent of LOLBAS, documenting Unix binaries that can be exploited for file download, shell execution, privilege escalation, and other offensive operations.

Books

  • Mudge, Raphael. "Adversary Simulation and Red Team Operations." (2020). The creator of Cobalt Strike's guide to adversary simulation methodology. Essential reading for understanding how C2 frameworks fit into broader red team operations.
  • Desmond, William. "Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems." No Starch Press (2023). The most comprehensive treatment of EDR evasion, covering kernel callbacks, user-mode hooks, ETW, AMSI, and advanced evasion techniques with practical examples.
  • Smith, Jared Atkinson and Roberto Rodriguez. "Threat Hunter Playbook." (Open Source). A community-driven project documenting detection strategies for adversary techniques, including extensive coverage of LOTL and evasion detection.
  • Secure Planet. "Red Team Operations with Cobalt Strike." (2021). Detailed coverage of Cobalt Strike operations, malleable C2 profiles, and detection evasion for legitimate red team engagements.

Research Papers and Technical Reports

  • Koret, Joxean and Elias Bachaalany. "The Antivirus Hacker's Handbook." Wiley (2015). While dated in some specifics, the fundamental concepts of AV internals and evasion remain relevant. Covers signature engines, emulators, heuristics, and bypass techniques.
  • CISA. "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection." Joint Cybersecurity Advisory AA23-144A (2023). Essential reading on Volt Typhoon's LOTL methodology. Includes detailed TTPs, detection guidance, and hardening recommendations.
  • Proofpoint. "Cobalt Strike: Favorite Tool from APT to Crimeware." (2021). Analysis of Cobalt Strike's adoption by threat actors, including detection statistics and proliferation trends.
  • MDSec Research Blog. "Nighthawk: Covert C2 Framework" and related posts. Technical analysis of advanced C2 evasion techniques including sleep obfuscation, syscall evasion, and ETW patching.

Online Resources and Tools

C2 Frameworks (for authorized testing)

  • Sliver C2 (github.com/BishopFox/sliver). Open-source C2 framework with comprehensive documentation. The GitHub wiki covers installation, implant generation, and operational usage.
  • Mythic C2 (github.com/its-a-feature/Mythic). Modular, open-source C2 with web UI. Excellent documentation on agent development and C2 profile creation.
  • Havoc Framework (github.com/HavocFramework/Havoc). Modern C2 framework with a focus on EDR evasion and direct syscall support.

Detection and Monitoring

  • RITA (Real Intelligence Threat Analytics) (github.com/activecm/rita). Open-source framework for detecting command-and-control communication through network traffic analysis, including beacon detection and DNS tunneling identification.
  • Sysmon (docs.microsoft.com/en-us/sysinternals/downloads/sysmon). Microsoft's system monitoring tool with event-driven logging for process creation, network connections, file changes, and more. The foundation of Windows endpoint telemetry.
  • SwiftOnSecurity Sysmon Configuration (github.com/SwiftOnSecurity/sysmon-config). A widely used Sysmon configuration template optimized for detection of common attack techniques.
  • SIGMA Rules (github.com/SigmaHQ/sigma). A generic signature format for SIEM systems with extensive rules for detecting evasion techniques, LOLBin abuse, and C2 communication.

Evasion Research

  • SysWhispers (github.com/jthuraisamy/SysWhispers). Tool for generating direct syscall stubs to bypass user-mode hooks. Understanding this tool is essential for understanding modern EDR evasion.
  • ScareCrow (github.com/optiv/ScareCrow). EDR evasion payload generator using process injection, syscalls, and code signing techniques.
  • Donut (github.com/TheWover/donut). Generates position-independent shellcode from .NET assemblies, EXEs, and DLLs for in-memory execution.

Conferences and Talks

  • Mudge, Raphael. "Dirty Red Team Tricks." DEF CON 25 (2017). Cobalt Strike's creator discusses advanced red team techniques and operational security practices.
  • Desmond, William. "A Deep Dive into EDR Internals." DEF CON 31 (2023). Comprehensive walkthrough of how EDR agents work internally, including kernel callbacks, ETW providers, and detection pipelines.
  • Nayak, Chetan. "Adventures in Avoiding EDR." Multiple conferences (2021-2022). The creator of Brute Ratel discusses EDR evasion techniques and the design philosophy behind BRc4.
  • The SANS Institute. "SEC565: Red Team Operations and Adversary Emulation" Course Materials. Professional training covering C2 frameworks, evasion techniques, and adversary emulation methodology.
  • SpecterOps. "Adversary Tactics: Detection" Workshop Series. Excellent training on building detection capabilities for advanced adversary techniques, including LOTL and modern C2 frameworks.

Blogs and Regular Publications

  • SpecterOps Blog (posts.specterops.io). Regular technical posts on offensive security research, including evasion techniques and detection strategies.
  • Elastic Security Labs (elastic.co/security-labs). Research on threat detection, including detailed analysis of evasion techniques and EDR bypass methods.
  • Red Canary Blog (redcanary.com/blog). Regular threat intelligence and detection engineering content, with extensive coverage of LOLBin abuse and behavioral detection.
  • The DFIR Report (thedfirreport.com). Detailed real-world incident analysis showing how threat actors use evasion techniques in actual intrusions.

Practice Platforms

  • HackTheBox Pro Labs (hackthebox.com). Multi-machine lab environments that require evasion techniques to progress, providing realistic practice in a legal environment.
  • TryHackMe Red Team Pathway (tryhackme.com). Structured learning path covering red team operations including C2 frameworks, evasion, and LOTL techniques.
  • SANS Cyber Ranges. Professional-grade environments for practicing advanced evasion and detection techniques.

💡 Study Recommendation: Start with the MITRE ATT&CK Defense Evasion tactic page to build a structured understanding, then read the CISA Volt Typhoon advisory for real-world context. Practice detection engineering with Sysmon and SIGMA rules before attempting offensive evasion techniques.