Question
From the Red Team’s perspective, does the “Attack Detection Evasion” actually work? Walk through how this action to evade the Blue Team’s IDS sensors and EDR works for the Red Team.
Versions:
- All Versions
Answer
Here are some stealth measures that can be employed to prevent the Blue Team from detecting your attacks and prevent them from increasing their Threat Intelligence score (which allows them to win the game).
- Evade Network Detection – This action reduces the possibility of detection by IDS systems within the network until the next attack.
The action may look like it remains active after the turn which you execute the attack, but that is only due to the fact that it is expended on the turn the attack is finalized, regardless of result; this action does not cover subsequent attacks. You can improve the efficiency of this action by researching IDS evasion, which will reduce the possibility further. - Prepare Covert Attack– Available after researching persistence, this action ensures that next attack will be covert, reducing the risk of being detected by endpoint protection on the turn it occurs.
- Cover Tracks – This action is available post exploitation – if the attack itself wasn’t covert, you can try covering your tracks later. This will reduce the risk of the attack being discovered later.
Remember that attacks may still be detected despite the fact that these actions are executed – they only reduce the risk rather than completely removing it. None of these actions affect password attacks as the mechanisms behind them aren’t relevant.
Clever Way to Disable Detection Mechanisms
Here’s a little tip from Greg, the head of our Support Group:
If you want to be sneaky, you can try to compromise the SIEM. If the SIEM is compromised, it’ll remove the risk of detection by endpoint protection and IDS systems after it is compromised until the Blue Team clears the compromise.
Copyright © 2025 by Derezzed Inc. D/B/A ThreatGEN. All rights reserved.