MITRE ATT&CK Technique
Defense Evasion T1211
Description

Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them. Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection. There have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries (Citation: Salesforce zero-day in facebook phishing attack), evade security logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden infrastructure.(Citation: GhostToken GCP flaw)

Supported Platforms
Linux Windows macOS SaaS IaaS
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2018-04-18T17:59:24.739Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may exploit a system or application vulnerability '
                'to bypass security features. Exploitation of a vulnerability '
                'occurs when an adversary takes advantage of a programming '
                'error in a program, service, or within the operating system '
                'software or kernel itself to execute adversary-controlled '
                'code.\xa0Vulnerabilities may exist in defensive security '
                'software that can be used to disable or circumvent them.\n'
                '\n'
                'Adversaries may have prior knowledge through reconnaissance '
                'that security software exists within an environment or they '
                'may perform checks during or shortly after the system is '
                'compromised for [Security Software '
                'Discovery](https://attack.mitre.org/techniques/T1518/001). '
                'The security software will likely be targeted directly for '
                'exploitation. There are examples of antivirus software being '
                'targeted by persistent threat groups to avoid detection.\n'
                '\n'
                'There have also been examples of vulnerabilities in public '
                'cloud infrastructure of SaaS applications that may bypass '
                'defense boundaries (Citation: Salesforce zero-day in facebook '
                'phishing attack), evade security logs (Citation: Bypassing '
                'CloudTrail in AWS Service Catalog), or deploy hidden '
                'infrastructure.(Citation: GhostToken GCP flaw)',
 'external_references': [{'external_id': 'T1211',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1211'},
                         {'description': 'Bill Toulas. (2023, August 2). '
                                         'Hackers exploited Salesforce '
                                         'zero-day in Facebook phishing '
                                         'attack. Retrieved September 18, '
                                         '2023.',
                          'source_name': 'Salesforce zero-day in facebook '
                                         'phishing attack',
                          'url': 'https://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/'},
                         {'description': 'Nick Frichette. (2023, March 20). '
                                         'Bypassing CloudTrail in AWS Service '
                                         'Catalog, and Other Logging Research. '
                                         'Retrieved September 18, 2023.',
                          'source_name': 'Bypassing CloudTrail in AWS Service '
                                         'Catalog',
                          'url': 'https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-catalog-and-other/'},
                         {'description': 'Sergiu Gatlan. (2023, April 21). '
                                         'GhostToken GCP flaw let attackers '
                                         'backdoor Google accounts. Retrieved '
                                         'September 18, 2023.',
                          'source_name': 'GhostToken GCP flaw',
                          'url': 'https://www.bleepingcomputer.com/news/security/ghosttoken-gcp-flaw-let-attackers-backdoor-google-accounts/'}],
 'id': 'attack-pattern--fe926152-f431-4baf-956c-4ad3cb0bf23b',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'}],
 'modified': '2025-10-24T17:49:39.960Z',
 'name': 'Exploitation for Defense Evasion',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['John Lambert, Microsoft Threat Intelligence Center'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'Windows', 'macOS', 'SaaS', 'IaaS'],
 'x_mitre_version': '1.5'}
Quick Actions
Edit TTP Update from Web
Related Threat Actors (2)
Velvet Ant
High
APT28
High
Back to TTPs
Dashboard About