<aside> ⚠️
CLICK DUPLICATE BUTTON TO START USING THE TEMPLATE
</aside>
<aside> 🎯
Objective: Evaluate your organization's ability to detect and respond to sophisticated threat actors who use evasive techniques to bypass security controls, focusing on detecting living-off-the-land techniques and advanced adversary tactics.
</aside>
Select appropriate evasion techniques based on your defensive controls:
| Technique Category | Detection Difficulty | Tool Requirements | Defensive Control Target | Best For |
|---|---|---|---|---|
| Living-Off-The-Land | High | Low | EDR, SIEM | Testing behavior-based detection |
| Defense Tool Evasion | High | Medium | AV, EDR | Testing signature-based controls |
| Network Evasion | Medium-High | Medium | NIDS/NIPS, Firewall | Testing network monitoring |
| Memory-Based Techniques | Very High | Medium-High | EDR, Memory Scanning | Testing advanced detection |
| Log Evasion/Tampering | High | Low | SIEM, Log Analysis | Testing log integrity |
| Encrypted C2 Channels | Medium-High | Medium | Network Monitoring | Testing TLS inspection |
| Defensive Control | Primary Purpose | Evasion Difficulty | Key Techniques to Test |
|---|---|---|---|
| Antivirus/Anti-malware | Malware Prevention | Low-Medium | Obfuscation, LOLBins, In-memory execution |
| EDR/XDR | Behavior Monitoring | Medium-High | Process injection, Living-off-the-land, Fileless attacks |
| SIEM/Log Analysis | Activity Monitoring | Medium | Log evasion, Timestamp manipulation, Log clearing |
| Network IDS/IPS | Traffic Analysis | Medium | Protocol tunneling, Encryption, Traffic shaping |
| DLP | Data Protection | Medium | Steganography, Encrypted exfiltration, Protocol abuse |
| Application Whitelisting | Execution Control | Medium-High | Signed binary proxy execution, Script-based attacks |
| Parameter | Options | Considerations |
|---|---|---|
| Detection Knowledge | Blind, Partial, Full | How much SOC knows about the exercise |
| Infrastructure Type | Production, Test, Hybrid | Where testing will be performed |
| Time Constraints | Time-boxed, Extended, Random | When testing will occur |
| Notification Scope | Black box, Gray box, White box | Who knows about the exercise |
| Recovery Requirements | Self-recovery, Assisted, No recovery | How systems will be returned to normal |
| Target Category | Value for Testing | Risk Level | Example Targets |
|---|---|---|---|
| Detection Systems | Very High | Medium | SIEM, EDR consoles, Log servers |
| Critical Infrastructure | High | High | Domain controllers, Authentication servers |
| Data Repositories | High | Medium-High | File servers, Databases, Collaboration platforms |
| End-user Systems | Medium | Low | Representative workstations |
| Network Infrastructure | Medium-High | Medium | Firewalls, Proxies, Network monitoring |