{"id":21621,"date":"2022-04-08T23:05:56","date_gmt":"2022-04-08T23:05:56","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=21621"},"modified":"2023-07-27T15:13:11","modified_gmt":"2023-07-27T15:13:11","slug":"how-hackers-evade-detection","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/","title":{"rendered":"How Hackers Evade Detection"},"content":{"rendered":"<p>Bypassing detection tools is part of a hacker&#8217;s routine these days. Despite the incredible evolution of defensive technologies, attackers often remain undetected for weeks or months, earning the label <a href=\"https:\/\/www.esecurityplanet.com\/threats\/advanced-persistent-threat\/\">advanced persistent threat (APT)<\/a>.<\/p>\n<p>Classic security tools are necessary but less and less sufficient. That\u2019s why most security companies are now focusing on <a href=\"https:\/\/www.esecurityplanet.com\/products\/best-user-and-entity-behavior-analytics-ueba-tools\/\">behavioral analysis<\/a> and active <a href=\"https:\/\/www.esecurityplanet.com\/products\/edr-solutions\/\">endpoint protection<\/a>, as evasion keeps becoming easier.<\/p>\n<p>For example, intrusion detection tools still rely somewhat on huge databases that contain specific signatures, but even if these databases are updated regularly, hackers can forge custom packets to stay off the radar. As a result, more and more security tools are relying on <a href=\"https:\/\/www.esecurityplanet.com\/threats\/ai-ml-cybersecurity\/\">AI and ML techniques<\/a> to detect signs of <a href=\"https:\/\/www.esecurityplanet.com\/threats\/zero-day-threat\/\">zero-day threats<\/a>.<\/p>\n<p>We\u2019ll discuss both common and unusual evasion techniques &#8211; and practical means for enterprises to protect themselves.<\/p>\n<h2><strong>Start with the MITRE ATT&amp;CK Framework<\/strong><\/h2>\n<p>The <a href=\"https:\/\/www.esecurityplanet.com\/networks\/use-mitre-attck-to-understand-attacker-behavior\/\">MITRE ATT&amp;CK framework<\/a> is one of the best knowledge bases available, as it documents in detail how attackers behave and think.<\/p>\n<p><a href=\"https:\/\/attack.mitre.org\/tactics\/TA0005\/\" target=\"_blank\" rel=\"noopener\">Defense Evasion<\/a> is described accurately, with practical examples and dedicated pages for each technique. At the time of writing, there are 40 known techniques attackers can use to evade detection, from classic obfuscation to lateral movements and more sophisticated approaches.<\/p>\n<p>If you have no idea how to spot such sneaky moves, ATT&amp;CK is a great resource, and even advanced teams use it daily, as many security vendors map the knowledge base to perform analysis.<\/p>\n<p>Also read: <a href=\"https:\/\/www.esecurityplanet.com\/threats\/a-few-clicks-from-data-disaster-enterprise-security\/\">A Few Clicks from Data Disaster: The State of Enterprise Security<\/a><\/p>\n<h2><strong>The Top Techniques Used by Hackers<\/strong><\/h2>\n<p>The following evasion approaches are widely used:<\/p>\n<ul>\n<li>Disabling security tools<\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1036\/\" target=\"_blank\" rel=\"noopener\">Masquerading<\/a> (tricked file type, scheduled tasks, renamed hacking software, etc.)<\/li>\n<li>Obfuscating malicious code<\/li>\n<\/ul>\n<p>Evasion helps the attack succeed. Hackers may remain undetected for lengthy periods or for a calculated window of opportunity. We\u2019ve seen various attacks in the headlines over the past months where attackers were perfectly aware they\u2019ll get detected eventually, but they only needed a couple of hours to operate.<\/p>\n<p>Many security vendors can easily block known hacking software such as Mimikatz, but hackers can lower the detection rate significantly by simply renaming the file so the invoke command does not raise alerts.<\/p>\n<p>More advanced attackers may modify a few lines in the source code to lower the detection rate, and most <a href=\"https:\/\/www.esecurityplanet.com\/products\/antivirus-software\/\">antivirus software<\/a> will fail to detect it.<\/p>\n<p>It\u2019s also possible to mess with registry entries to completely disable built-in monitoring with PowerShell commands such as:<\/p>\n<pre>Set-MpPreferences -DisableRealTimeMonitoring $true\r\n<\/pre>\n<h2><strong>The Rapid Evolution of Evasion Techniques<\/strong><\/h2>\n<p>Evasion techniques have evolved quickly. The earliest techniques were fake <a href=\"https:\/\/www.esecurityplanet.com\/threats\/malware-types\/\">malware<\/a> signatures or sleep timers (delayed execution). Now hackers are focusing more on EDR evasion and <a href=\"https:\/\/www.esecurityplanet.com\/networks\/living-off-the-land-attacks\/\">LOTL attacks<\/a>.<\/p>\n<p>LOTL stands for \u201cliving off the land,\u201d which mainly consists of using native tools found on the targeted system &#8211; like <a href=\"https:\/\/www.esecurityplanet.com\/threats\/powershell-source-of-third-of-critical-security-threats\/\">PowerShell<\/a> &#8211; to attack. In other words, the attackers blend into the victim\u2019s computer systems and cover their actions by using legitimate processes.<\/p>\n<p>This approach is heavily used in cyber espionage, but script kiddies and less advanced hackers might use it too, as dark open-sourcing is rising, <a href=\"https:\/\/www.esecurityplanet.com\/trends\/becoming-a-cybercriminal-keeps-getting-easier\/\">making hacking easier<\/a>.<\/p>\n<p>AppLocker mechanisms and strict permissions management can mitigate LOLbins (living off the land binaries) attacks.<\/p>\n<p>Memory analysis is a bit more technical but effective for spotting common LOLBins used to deliver malware, such as Regsvr32, a Windows utility that can register or unregister DLL files.<\/p>\n<h2><strong>Examples of IDS and IPS Evasion<\/strong><\/h2>\n<p>IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems) &#8211; often combined as <a href=\"https:\/\/www.esecurityplanet.com\/products\/intrusion-detection-and-prevention-systems\/\">intrusion detection and prevention systems (IDPS)<\/a> &#8211; can flag suspicious network packets by comparing them to a <a href=\"https:\/\/www.esecurityplanet.com\/products\/threat-intelligence-platforms\/\">threat database<\/a> filled with known signatures collected in various cyberattacks. IDS only monitors packets while IPS can reject them automatically.<\/p>\n<p>Many attackers use Nmap to discover vulnerable live hosts, but IDS and IPS can detect such active scans and raise alerts immediately.<\/p>\n<p>However, you can pass specific options to Nmap commands that fragment (-f option) packets, manipulate metadata, or send fake data that won\u2019t be matched with known signatures.<\/p>\n<p>Also read: <a href=\"https:\/\/www.esecurityplanet.com\/networks\/nmap-vulnerability-scanning-made-easy\/\">Nmap Vulnerability Scanning Made Easy: Tutorial<\/a><\/p>\n<h2><strong>Disabling Security Tools<\/strong><\/h2>\n<p>Disabling security tools is a practical approach. The following Windows utilities and features can be deactivated:<\/p>\n<ul>\n<li>Task manager<\/li>\n<li>UAC (User Access Control used to execute tasks with admin privileges)<\/li>\n<li>CMD (command invite)<\/li>\n<li>Windows Security<\/li>\n<li>Logs<\/li>\n<\/ul>\n<p>All have associated registry entries that can be modified. Alternatively, it\u2019s possible to alter the local access policies.<\/p>\n<p>This is where EDR and UEBA can identify unwanted modifications in security policies and unusual events &#8211; but watch for attempts to <a href=\"https:\/\/twitter.com\/5C4R48\/status\/1512401258468069382\" target=\"_blank\" rel=\"noopener\">bypass EDR systems<\/a>\u00a0too.<\/p>\n<h2><strong>Evasion Can Leverage macOS and Linux Too<\/strong><\/h2>\n<p>Most demos and POCs involve PowerShell commands and modifications in Windows registry.<\/p>\n<p>Indeed, Windows is still the most popular OS, but macOS and Linux systems are not immune to evasion techniques &#8211; and Linux is the basis of many critically important enterprise systems. Hackers can use LOLBins in such environments as well, sometimes giving headaches to researchers trying to analyze the situation.<\/p>\n<p>Attackers can implant persistent agents and kill the Activity Monitor (the macOS equivalent of the Task Manager in Windows) to prevent users from checking resources, just like what happened in <a href=\"https:\/\/www.sentinelone.com\/labs\/fade-dead-adventures-in-reversing-malicious-run-only-applescripts\/\" target=\"_blank\" rel=\"noopener\">OSAMiner campaigns<\/a>.<\/p>\n<p>Linux shell scripts can uninstall cloud-monitoring agents, disable <a href=\"https:\/\/www.esecurityplanet.com\/products\/top-ngfw\/\">firewalls<\/a>, or rename common utilities such as wget and curl that can download resources from remote IPs.<\/p>\n<p>All endpoints should be monitored, regardless of the operating system.<\/p>\n<p><em>See our picks for the <\/em><a href=\"https:\/\/www.esecurityplanet.com\/products\/edr-solutions\/\"><em>Top EDR Tools<\/em><\/a><\/p>\n<h2><strong>Malicious Payloads Can Hide in Unexpected Files<\/strong><\/h2>\n<p>Hackers love classic file types such as PDFs because they do not look suspicious like .exe (executable), .jar (Java) or zip archives do.<\/p>\n<p>Known techniques such as <a href=\"https:\/\/www.esecurityplanet.com\/threats\/how-steganography-allows-attackers-to-evade-detection\/\">steganography<\/a> can be used to hide malicious payloads even in seemingly harmless images that will bypass <a href=\"https:\/\/www.esecurityplanet.com\/products\/best-secure-email-gateways\/\">email security gateways<\/a>.<\/p>\n<p>Embedded macros in Word and Excel documents are also massively used to bypass antivirus software and other protections to ultimately install malware. The only caveat for attackers is that it usually requires the user to click on \u201cenable content\u201d (e.g., inside Microsoft Office), so macro malware is theoretically much easier to detect and mitigate. However, <a href=\"https:\/\/www.esecurityplanet.com\/products\/cybersecurity-training\/\">cybersecurity awareness training<\/a> is essential to prevent employees from even opening such files.<\/p>\n<p>Indeed, hackers <a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zloader-with-a-new-infection-technique\/\" target=\"_blank\" rel=\"noopener\">managed<\/a> to bypass default macro security using non-malicious documents to trick the victims into disabling security warnings and enabling macros that are normally disabled in Microsoft Office. These documents were used to download other documents containing macro code.<\/p>\n<p>Steganographic documents are hard to detect, but CDR (content disarm and reconstruction) can remove non-approved objects in files automatically.<\/p>\n<h2 role=\"presentation\"><strong>Ubiquitous RATs<\/strong><\/h2>\n<p>RATs (Remote Access Trojans) can have various purposes, from spying\/monitoring the victim\u2019s activities (e.g., keystrokes, screenshots, confidential information) to identity theft and malware distribution.<\/p>\n<p>It\u2019s not uncommon for hackers to use infected machines to attack other machines by using the victims\u2019 addresses as fronts for criminal activities.<\/p>\n<p>Besides, RATs are very effective against antivirus software, so using IDPS technology is recommended.<\/p>\n<h2><strong>Nothing Replaces Human Analysis &#8211; But It Can Be Fooled<\/strong><\/h2>\n<p>Security tools do a tremendous job, especially against common threats. However, skilled adversaries often succeed at bypassing them.<\/p>\n<p>They can anticipate the work of security analysts, perhaps leading researchers too, and hide malicious commands inside legitimate system commands and instructions.<\/p>\n<p>Those command lines are often quite long and used by a very few specialists that work at low-level, for example, with kernels or assembly code. Even if the analyst is intrigued by such unusual lines in security logs, Google will likely indicate it\u2019s a perfectly legitimate process.<\/p>\n<p>You cannot fight against something you don\u2019t know, and most security tools focus on known attacks and technologies, not highly complex scenarios that are specifically meant to lure defenders with <a href=\"https:\/\/www.esecurityplanet.com\/threats\/social-engineering-attacks\/\">social engineering<\/a> and noisy data.<\/p>\n<p>In this case, understanding the tactics and procedures involved is a top priority. Threat hunting, endpoint logs and auditing can save the day.<\/p>\n<p>Read next: <a href=\"https:\/\/www.esecurityplanet.com\/threats\/threat-hunting\/\">How to Build &amp; Run a Threat Hunting Program<\/a><\/p>\n\n\n<div id=\"ta-campaign-widget-66d6f17c7b6c0-popup-wrapper\" class=\"ta-campaign-widget__popup-wrapper\">\n    \n<div\n    style=\"\n        --ta-campaign-plugin-primary: #3545ed;\n        --ta-campaign-plugin-button-text: #fff;\n        --ta-campaign-plugin-button-hover-background: #3231b4;\n        --ta-campaign-plugin-button-hover-text: #fff;\n        --ta-campaign-plugin-button-toggle-background: #3231b4;\n        --ta-campaign-plugin-button-toggle-text: #3231B4;\n    \"\n    data-ajax-url=\"https:\/\/www.esecurityplanet.com\/wp\/wp-admin\/admin-ajax.php\">\n    <div\n        id=\"ta-campaign-widget-66d6f17c7b6c0\"\n        class=\"ta-campaign-widget ta-campaign-widget--popup\"\n        data-campaign-fields='{\"properties\":{\"campaign_type\":\"popup\",\"campaign_category\":false,\"sailthru_list\":[\"cybersecurity-insider\"],\"popup_type\":\"exit_intent\",\"appearance\":{\"colors\":{\"primary_color\":\"#3545ed\",\"button\":{\"button_text_color\":\"#fff\",\"hover\":{\"button_hover_background_color\":\"#3231b4\",\"button_hover_text_color\":\"#fff\"},\"toggle\":{\"button_toggle_background_color\":\"#3231b4\",\"button_toggle_text_color\":\"#3231B4\"}}},\"custom_scss\":\"\"},\"behavior\":{\"opt_in_enabled\":true},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}},\"identifier\":\"66d6f17c7b6c0\",\"campaign_id\":26045,\"campaign_type\":\"popup\",\"popup_type\":\"exit_intent\",\"newsletters\":[\"cybersecurity-insider\"],\"behavior\":{\"opt_in_enabled\":true},\"appearance\":{\"colors\":{\"primary\":\"#3545ed\",\"button\":{\"text\":\"#fff\",\"hover\":{\"background\":\"#3231b4\",\"text\":\"#fff\"},\"toggle\":{\"background\":\"#3231b4\",\"text\":\"#3231B4\"}}},\"custom_css\":\"\"},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}}'>\n\n                <div class=\"ta-campaign-widget__exit\">\n            <svg class=\"w-8\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" viewBox=\"0 0 24 24\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\">\n                <path stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M6 18L18 6M6 6l12 12\"><\/path>\n            <\/svg>\n        <\/div>\n        \n        <div class=\"ta-campaign-widget__wrapper\">\n            <div class=\"ta-campaign-widget__header mb-6\">\n                                <h3 class=\"ta-campaign-widget__tagline\">\n                    Get the Free Cybersecurity Newsletter                <\/h3>\n                \n                \n                                <p class=\"ta-campaign-widget__content mt-6\">\n                    Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday                <\/p>\n                            <\/div>\n\n            <form class=\"ta-campaign-widget__form\">\n                <div class=\"ta-campaign-widget__input mb-4\"  data-field=\"email\">\n                    <label\n                        class=\"sr-only\"\n                        for=\"email-66d6f17c7b6c0\">\n                        Email Address\n                    <\/label>\n                    <input\n                        class=\"ta-campaign-widget__input__text\"\n                        placeholder=\"Work Email Address\"\n                        id=\"email-66d6f17c7b6c0\"\n                        name=\"email\"\n                        type=\"email\">\n                <\/div>\n\n                                <div class=\"ta-campaign-widget__checkbox mb-4\" data-field=\"opt_in\">\n                    <div class=\"flex items-start\">\n                        <input\n                            id=\"opt-in-66d6f17c7b6c0\"\n                            class=\"ta-campaign-widget__checkbox__input mr-2\"\n                            name=\"opt-in\"\n                            type=\"checkbox\"\/>\n                        <label\n                            class=\"ta-campaign-widget__checkbox__label\"\n                            for=\"opt-in-66d6f17c7b6c0\">\n                            By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.                        <\/label>\n                    <\/div>\n                <\/div>\n                \n                <button class=\"ta-campaign-widget__button\" type=\"submit\" >\n                    Subscribe                <\/button>\n            <\/form>\n        <\/div>\n    <\/div>\n<\/div>\n\n<style>\n<\/style><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Bypassing detection tools is part of a hacker&#8217;s routine these days. Despite the incredible evolution of defensive technologies, attackers often remain undetected for weeks or months, earning the label advanced persistent threat (APT). Classic security tools are necessary but less and less sufficient. That\u2019s why most security companies are now focusing on behavioral analysis and [&hellip;]<\/p>\n","protected":false},"author":267,"featured_media":21623,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_gazelle_contributing_experts":"","footnotes":""},"categories":[19,15],"tags":[14716,28055,28046],"b2b_audience":[33],"b2b_industry":[],"b2b_product":[31788,403,395],"class_list":["post-21621","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-endpoint","category-threats","tag-apt","tag-edr","tag-ueba","b2b_audience-awareness-and-consideration","b2b_product-advanced-persistent-threats","b2b_product-cyber-terrorists-and-cyber-crime","b2b_product-firewalls-and-intrusion-prevention-and-detection"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How Hackers Evade Detection | eSecurity Planet<\/title>\n<meta name=\"description\" content=\"Evading defensive tools and using living off the land techniques is how hackers go undetected. Here&#039;s what to look for.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How Hackers Evade Detection | eSecurity Planet\" \/>\n<meta property=\"og:description\" content=\"Evading defensive tools and using living off the land techniques is how hackers go undetected. Here&#039;s what to look for.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/\" \/>\n<meta property=\"og:site_name\" content=\"eSecurity Planet\" \/>\n<meta property=\"article:published_time\" content=\"2022-04-08T23:05:56+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-07-27T15:13:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/04\/macro-attack.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1492\" \/>\n\t<meta property=\"og:image:height\" content=\"1157\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Julien Maury\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@eSecurityPlanet\" \/>\n<meta name=\"twitter:site\" content=\"@eSecurityPlanet\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Julien Maury\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/\"},\"author\":{\"name\":\"Julien Maury\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/4723f5dca54d7ee1d8111912ac8b1d4a\"},\"headline\":\"How Hackers Evade Detection\",\"datePublished\":\"2022-04-08T23:05:56+00:00\",\"dateModified\":\"2023-07-27T15:13:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/\"},\"wordCount\":1327,\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/04\/macro-attack.jpg\",\"keywords\":[\"APT\",\"EDR\",\"UEBA\"],\"articleSection\":[\"Endpoint\",\"Threats\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/\",\"url\":\"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/\",\"name\":\"How Hackers Evade Detection | eSecurity Planet\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/04\/macro-attack.jpg\",\"datePublished\":\"2022-04-08T23:05:56+00:00\",\"dateModified\":\"2023-07-27T15:13:11+00:00\",\"description\":\"Evading defensive tools and using living off the land techniques is how hackers go undetected. Here's what to look for.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/#primaryimage\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/04\/macro-attack.jpg\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/04\/macro-attack.jpg\",\"width\":1492,\"height\":1157,\"caption\":\"evasion techniques\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.esecurityplanet.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How Hackers Evade Detection\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"name\":\"eSecurity Planet\",\"description\":\"Industry-leading guidance and analysis for how to keep your business secure.\",\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.esecurityplanet.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\",\"name\":\"eSecurityPlanet\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"width\":1134,\"height\":375,\"caption\":\"eSecurityPlanet\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/eSecurityPlanet\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/4723f5dca54d7ee1d8111912ac8b1d4a\",\"name\":\"Julien Maury\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/02\/JulienMaury-AvatarImg-150x150.webp\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/02\/JulienMaury-AvatarImg-150x150.webp\",\"caption\":\"Julien Maury\"},\"description\":\"eSecurity Planet contributor Julien Maury writes about penetration testing, code security, open source security and more. He is a backend developer, a mentor and a technical writer who enjoys sharing his knowledge and learning new concepts.\",\"url\":\"https:\/\/www.esecurityplanet.com\/author\/jmaury\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How Hackers Evade Detection | eSecurity Planet","description":"Evading defensive tools and using living off the land techniques is how hackers go undetected. Here's what to look for.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/","og_locale":"en_US","og_type":"article","og_title":"How Hackers Evade Detection | eSecurity Planet","og_description":"Evading defensive tools and using living off the land techniques is how hackers go undetected. Here's what to look for.","og_url":"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/","og_site_name":"eSecurity Planet","article_published_time":"2022-04-08T23:05:56+00:00","article_modified_time":"2023-07-27T15:13:11+00:00","og_image":[{"width":1492,"height":1157,"url":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/04\/macro-attack.jpg","type":"image\/jpeg"}],"author":"Julien Maury","twitter_card":"summary_large_image","twitter_creator":"@eSecurityPlanet","twitter_site":"@eSecurityPlanet","twitter_misc":{"Written by":"Julien Maury","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/#article","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/"},"author":{"name":"Julien Maury","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/4723f5dca54d7ee1d8111912ac8b1d4a"},"headline":"How Hackers Evade Detection","datePublished":"2022-04-08T23:05:56+00:00","dateModified":"2023-07-27T15:13:11+00:00","mainEntityOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/"},"wordCount":1327,"publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/04\/macro-attack.jpg","keywords":["APT","EDR","UEBA"],"articleSection":["Endpoint","Threats"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/","url":"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/","name":"How Hackers Evade Detection | eSecurity Planet","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/#primaryimage"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/04\/macro-attack.jpg","datePublished":"2022-04-08T23:05:56+00:00","dateModified":"2023-07-27T15:13:11+00:00","description":"Evading defensive tools and using living off the land techniques is how hackers go undetected. Here's what to look for.","breadcrumb":{"@id":"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/#primaryimage","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/04\/macro-attack.jpg","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/04\/macro-attack.jpg","width":1492,"height":1157,"caption":"evasion techniques"},{"@type":"BreadcrumbList","@id":"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-evade-detection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esecurityplanet.com\/"},{"@type":"ListItem","position":2,"name":"How Hackers Evade Detection"}]},{"@type":"WebSite","@id":"https:\/\/www.esecurityplanet.com\/#website","url":"https:\/\/www.esecurityplanet.com\/","name":"eSecurity Planet","description":"Industry-leading guidance and analysis for how to keep your business secure.","publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esecurityplanet.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.esecurityplanet.com\/#organization","name":"eSecurityPlanet","url":"https:\/\/www.esecurityplanet.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","width":1134,"height":375,"caption":"eSecurityPlanet"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/eSecurityPlanet"]},{"@type":"Person","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/4723f5dca54d7ee1d8111912ac8b1d4a","name":"Julien Maury","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/02\/JulienMaury-AvatarImg-150x150.webp","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/02\/JulienMaury-AvatarImg-150x150.webp","caption":"Julien Maury"},"description":"eSecurity Planet contributor Julien Maury writes about penetration testing, code security, open source security and more. He is a backend developer, a mentor and a technical writer who enjoys sharing his knowledge and learning new concepts.","url":"https:\/\/www.esecurityplanet.com\/author\/jmaury\/"}]}},"_links":{"self":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/21621"}],"collection":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/users\/267"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/comments?post=21621"}],"version-history":[{"count":1,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/21621\/revisions"}],"predecessor-version":[{"id":31233,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/21621\/revisions\/31233"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media\/21623"}],"wp:attachment":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media?parent=21621"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/categories?post=21621"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/tags?post=21621"},{"taxonomy":"b2b_audience","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_audience?post=21621"},{"taxonomy":"b2b_industry","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_industry?post=21621"},{"taxonomy":"b2b_product","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_product?post=21621"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}