Defense evasion techniques: disabling security tools, clearing event logs, modifying timestamps (timestomping), using signed binaries (LOLBAS), API unhooking (bypass EDR), code obfuscation, process injection (hide in trusted process).
MITRE ATT&CK TA0005 — Defense Evasion is the largest tactic category (50+ techniques). Blue team: monitor for these evasion behaviors themselves (process tampering, log clearing, security tool termination). Detection of evasion attempts is a high-confidence indicator of active attack.