Description
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
Adversaries may exploit a system or application vulnerability to avoid detection while maintaining access within an environment. Exploitation occurs when an adversary leverages a programming flaw to execute code in a manner that minimizes visibility or blends in with legitimate activity.
Rather than directly disabling defenses, adversaries may use exploitation to circumvent monitoring and logging mechanisms. This can include abusing vulnerabilities in logging pipelines, security tools, or cloud infrastructure to evade audit trails, suppress alerts, or operate without generating telemetry.
Adversaries may identify these opportunities through prior reconnaissance or by performing discovery of security controls after initial access. In some cases, vulnerabilities in SaaS or public cloud environments may be exploited to evade logging, obscure activity, or deploy infrastructure that remains hidden from standard monitoring tools.(Citation: Bypassing CloudTrail in AWS Service Catalog)(Citation: GhostToken GCP flaw)
Platforms
Mitigations (4)
Exploit ProtectionM1050
Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Con
Update SoftwareM1051
Update software regularly by employing patch management for internal enterprise endpoints and servers.
Threat Intelligence ProgramM1019
Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.
Application Isolation and SandboxingM1048
Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G1047 | Velvet Ant | [Velvet Ant](https://attack.mitre.org/groups/G1047) exploited CVE-2024-20399 in Cisco Switches to which the threat actor was already able to authentic... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used CVE-2015-4902 to bypass security features.(Citation: Bitdefender APT28 Dec 2015)(Citation: Mic... |
References
- Nick Frichette. (2023, March 20). Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research. Retrieved September 18, 2023.
- Sergiu Gatlan. (2023, April 21). GhostToken GCP flaw let attackers backdoor Google accounts. Retrieved September 18, 2023.
Frequently Asked Questions
What is T1211 (Exploitation for Stealth)?
T1211 is a MITRE ATT&CK technique named 'Exploitation for Stealth'. It belongs to the Stealth tactic(s). Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components. Adversaries may exploit a system or applica...
How can T1211 be detected?
Detection of T1211 (Exploitation for Stealth) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1211?
There are 4 documented mitigations for T1211. Key mitigations include: Exploit Protection, Update Software, Threat Intelligence Program, Application Isolation and Sandboxing.
Which threat groups use T1211?
Known threat groups using T1211 include: Velvet Ant, APT28.