Stopping Detection & Evasion

Detection That Actually Wakes Someone Up

Attack paths shrink once permissions, segments, and management channels are consistently configured.

In Stopping Detection & Evasion, value emerges when detection is directly actionable for follow-up, not just for reporting.

This way, you not only reduce the likelihood of incidents, but especially the scope and duration when something does go wrong.

Immediate actions (15 minutes)

• Start with MFA, least privilege, and tiering for admin accounts.
• Enforce segmentation and explicit firewall rules on critical paths.
• Ensure logging, detection, and recovery tests are a structural operation.

Why this matters

The core of Stopping Detection & Evasion is risk reduction in practice. Technical context supports the choice of measures, but implementation and assurance are central.

Defense: How to Stop All of This

In 1987, a German computer scientist named Bernd Fix did something nobody had done before: he wrote a program that neutralized another program. The Vienna virus -- a simple piece of code that infected .com files on DOS systems -- was the target. Fix analyzed it, understood it, and neutralized it. It was the first documented case of antivirus software. And it was the starting shot of an arms race that has now lasted nearly forty years and shows no signs of fatigue. (The arms race, that is. Bernd Fix is probably tired by now.)

It is as if Fix started a cat-and-mouse game whose rules change every six months. First there were viruses that infected files, and scanners came along that looked for known byte patterns. Then came polymorphic viruses that rewrote themselves with every copy, and the scanners had to start recognizing behavior instead of signatures. Then came rootkits that hid from the operating system itself, and the scanners had to start operating at kernel level. And now -- now we are in a world where attackers patch AMSI in memory, disable ETW providers, and bypass PowerShell logging with techniques that did not exist six months ago. The cat runs. The mouse runs faster.

After twenty techniques for bypassing defenses, it is time to tell the other side of the story. Because this is not a book for attackers -- it is a book for defenders who want to understand how attackers think. And the lesson from those twenty techniques is not that defense is futile. The lesson is that passive defense is futile. An antivirus program that you install and forget is like a smoke detector without a battery: it hangs there, it looks professional, and at the moment it matters, it does precisely nothing.

The question is not "can attackers bypass our detection?" Of course they can. The question is: how difficult do we make it? Every layer an attacker must break through -- AMSI, AppLocker, EDR, Script Block Logging, Credential Guard, network segmentation -- costs time, makes noise, and increases the chance of discovery. An attacker who must execute six bypasses before he can run his actual tooling is an attacker who leaves six times as many traces. And traces are what defenders need.

This is where the uncomfortable part begins. Because the techniques in the previous chapter -- AMSI patches, ETW blind spots, CLM escapes, process injection -- are not theoretical. They work. They work today, against current versions of Windows and current EDR products. The attacker has a structural advantage: he only needs to find one way in, while the defender must guard all paths. It is an asymmetry as old as the profession itself, and there is no magic solution.

But there are practical solutions. And they do not start with buying the most expensive EDR product on the market (although that helps too), but with fundamentally understanding what you are defending and why. PowerShell Script Block Logging is worthless if nobody reads the logs. Credential Guard is useless if it is not rolled out to all machines. AppLocker is a joke if half of the LOLBins are on the whitelist. The technology is there. What is lacking is discipline.

What follows is the defense handbook: concrete measures, ranked from most to least effective, with the honest caveat that no single measure is sufficient on its own. Defence in depth is not a marketing term -- it is the only strategy that works against an adversary who can bypass every individual layer.

EDR: Endpoint Detection and Response

Modern EDR solutions go beyond signature-based detection. They look at behaviors:

• API hooking: EDR places hooks on Windows API functions such as VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. Every call is logged and analyzed.
• ETW (Event Tracing for Windows): EDR products register as ETW consumers and receive events from the kernel, AMSI, and applications.
• Memory scanning: Periodically scanning process memory for known patterns, even when nothing exists on disk.
• Process relationships: If mshta.exe spawns a powershell.exe child process, or if svchost.exe suddenly makes a network connection to an external IP address, that generates an alert.

Constrained Language Mode -- Properly Configured

CLM is not worthless when it is correctly configured:

• Combine CLM with WDAC (Windows Defender Application Control) instead of AppLocker.
• Remove PowerShell v2: Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root.
• Block InstallUtil.exe and MSBuild.exe if they are not needed.

Code Signing

Requiring all scripts and executables to be digitally signed is one of the most effective defenses:

• Set-ExecutionPolicy AllSigned for PowerShell.
• WDAC policy that only allows signed binaries.
• Certificate pinning for internal tools.

It is not watertight -- stolen code signing certificates are a thing -- but it raises the bar significantly.

Practical Hardening Checklist

1. Disable PowerShell v2.
2. Implement WDAC instead of (or alongside) AppLocker.
3. Activate and monitor Script Block Logging.
4. Block LOLBins that are not needed (mshta.exe, cscript.exe, wscript.exe).
5. Monitor process relationships -- which process spawns which child process.
6. Implement Credential Guard to limit credential dumping.
7. Patch, patch, patch. Most AMSI bypasses work against specific versions. Updates break them.

A Word About the Antivirus Industry

There is an old saying: if you put an idiot in a nice suit, you do not get a smarter person -- you get an idiot in a nice suit.

The antivirus industry has dressed up fifty billion dollars per year in nice suits. It sells reactive detection as proactive protection. It calls signature updates "threat intelligence." It sticks machine learning labels on pattern recognition that a computer science student could write in a weekend. And it advertises detection rates of 99.9% -- which sounds impressive until you realize that three million new malware samples appear every day, and 0.1% of that means three thousand missed detections per day.

The real problem is not that AV is bad. AV catches the lion's share of commodity malware. The problem is that organizations think AV is enough. That they install a product, lean back, and think: "We are secure." That is like putting a lock on your front door and concluding that your house is burglar-proof, while the window on the first floor is open, the back door is unlocked, and you have put the spare key under the doormat.

Security is not a product. It is a process. It is layers -- defence in depth. AMSI plus AppLocker plus EDR plus network segmentation plus monitoring plus incident response plus -- and this is the most important part -- people who know what they are doing.

The techniques in this chapter prove that no single layer is invulnerable. But every layer makes the attack harder, more expensive, and -- crucially -- more detectable. An attacker who must execute five bypasses makes five times as much noise as an attacker who needs zero. And noise is what defenders need.

Further Reading

• LOLBAS Project: https://lolbas-project.github.io -- The complete catalog of Living Off The Land Binaries, Scripts, and Libraries.
• AMSI.fail: Collection of public AMSI bypasses.
• Donut: https://github.com/TheWover/donut -- Converts .NET assemblies to position-independent shellcode.
• NetLoader: Loads .NET assemblies in memory with automatic AMSI/ETW bypass.
• Shellter: https://www.shellterproject.com -- Dynamic PE infection tool.
• DefenderCheck / ThreatCheck: Tools to identify which bytes in a binary are detected.

And so ends our tour through the landscape of evasion. Nearly thirty techniques, spread across six categories, each with their own charm and their own detection methods. The arms race continues. The attacker finds a bypass, the defender writes a detection rule, the attacker adjusts the bypass, the defender updates the rule. It is a dance that began with the Trojan Horse and will not stop anytime soon. The least you can do is know the dance steps.

In the next chapter, we tackle something bigger: lateral movement through the network. Because a foot in the door is nice, but the vault is on the other side of the building.