Esc
Exploitation for Defense Evasion - T1211
(ATT&CK® Technique)
Definition
Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1211["Exploitation for Defense Evasion"] --> |may-modify| StackFrame["Stack Frame"]; class T1211 OffensiveTechniqueNode;
class StackFrame ArtifactNode; click StackFrame href "/dao/artifact/d3f:StackFrame";
click T1211 href "/offensive-technique/attack/T1211/"; click StackFrame href "/dao/artifact/d3f:StackFrame"; T1211["Exploitation for Defense Evasion"] --> |may-modify| ProcessCodeSegment["Process Code Segment"]; class T1211 OffensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode; click ProcessCodeSegment href "/dao/artifact/d3f:ProcessCodeSegment";
click T1211 href "/offensive-technique/attack/T1211/"; click ProcessCodeSegment href "/dao/artifact/d3f:ProcessCodeSegment"; ShadowStackComparisons["Shadow Stack Comparisons"] -->
| analyzes | StackFrame["Stack Frame"];
ShadowStackComparisons["Shadow Stack Comparisons"] -.->
| may-detect | T1211["Exploitation for Defense Evasion"] ;
class ShadowStackComparisons DefensiveTechniqueNode;
class StackFrame ArtifactNode;
click ShadowStackComparisons href "/technique/d3f:ShadowStackComparisons"; MemoryBoundaryTracking["Memory Boundary Tracking"] -->
| analyzes | ProcessCodeSegment["Process Code Segment"];
MemoryBoundaryTracking["Memory Boundary Tracking"] -.->
| may-detect | T1211["Exploitation for Defense Evasion"] ;
class MemoryBoundaryTracking DefensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode;
click MemoryBoundaryTracking href "/technique/d3f:MemoryBoundaryTracking"; ProcessCodeSegmentVerification["Process Code Segment Verification"] -->
| verifies | ProcessCodeSegment["Process Code Segment"];
ProcessCodeSegmentVerification["Process Code Segment Verification"] -.->
| may-detect | T1211["Exploitation for Defense Evasion"] ;
class ProcessCodeSegmentVerification DefensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode;
click ProcessCodeSegmentVerification href "/technique/d3f:ProcessCodeSegmentVerification"; ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] -->
| neutralizes | ProcessCodeSegment["Process Code Segment"];
ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] -.->
| may-harden | T1211["Exploitation for Defense Evasion"] ;
class ProcessSegmentExecutionPrevention DefensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode;
click ProcessSegmentExecutionPrevention href "/technique/d3f:ProcessSegmentExecutionPrevention"; SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] -->
| obfuscates | ProcessCodeSegment["Process Code Segment"];
SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] -.->
| may-harden | T1211["Exploitation for Defense Evasion"] ;
class SegmentAddressOffsetRandomization DefensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode;
click SegmentAddressOffsetRandomization href "/technique/d3f:SegmentAddressOffsetRandomization"; StackFrameCanaryValidation["Stack Frame Canary Validation"] -->
| validates | StackFrame["Stack Frame"];
StackFrameCanaryValidation["Stack Frame Canary Validation"] -.->
| may-harden | T1211["Exploitation for Defense Evasion"] ;
class StackFrameCanaryValidation DefensiveTechniqueNode;
class StackFrame ArtifactNode;
click StackFrameCanaryValidation href "/technique/d3f:StackFrameCanaryValidation";