Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0795: Detection of Exploitation for Evasion

DET0795 matters because exploitation used for evasion can turn a normal vulnerability-management issue into a monitoring and response-confidence issue in a...

ICSDET0795Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Low

DET0795 matters because exploitation used for evasion can turn a normal vulnerability-management issue into a monitoring and response-confidence issue in an ICS environment. If an attacker can exploit software on a control device, service, operating system, or kernel to disable or bypass security features, leaders may lose visibility at the moment it is most needed.

Executive priority

Treat this as a resilience and assurance question: which ICS assets have security features that could be bypassed through known or unknown software flaws, and would the organization know if those controls stopped working? This should inform vulnerability prioritization, compensating controls, incident response readiness, and audit evidence around monitoring integrity. Because the ATT&CK object provides no official detection logic or platforms, coverage should be validated locally rather than assumed.

Technical view

This detection strategy is related to ICS technique T0820, Exploitation for Evasion. SOC, detection, and IR teams should validate whether they can correlate vulnerability exposure on control devices and related software with evidence that security features were disabled, bypassed, failed, or behaved unexpectedly. The relationship context also notes that adversaries may use prior knowledge from Remote System Information Discovery, so discovery activity against control devices can be useful context when assessing possible evasion-focused exploitation.

Likely telemetry

  • ICS asset and software inventory, including control devices, services, operating systems, and kernel/software versions where available
  • Vulnerability and patch status for software that supports or protects control devices
  • Security feature status, configuration, health, and alerting records from monitored control devices or associated systems
  • System, application, service, kernel, crash, error, or watchdog logs where collected
  • Network or asset discovery telemetry that may show remote system information discovery activity before suspected evasion

Detection direction

  • Do not treat generic exploit alerts as sufficient; validate whether the exploit could affect a security feature or monitoring function.
  • Correlate security-control failures, disabled features, or loss of telemetry with vulnerability exposure and suspicious discovery activity.
  • Identify blind spots on control devices or embedded systems where logging is limited, proprietary, intermittent, or not centrally collected.
  • Tune review workflows to separate authorized maintenance or configuration changes from unexplained loss of security functionality.
  • Because ATT&CK provides no official detection text for DET0795, document the local analytic assumptions and test them against representative ICS assets.

Mitigation priorities

  • Prioritize vulnerability management for software, services, operating systems, and control-device components that support security visibility or protective features.
  • Maintain accurate ICS asset and software inventories so exposure to evasion-relevant vulnerabilities can be assessed quickly.
  • Reduce unnecessary ability to enumerate security features on control devices where operationally feasible.
  • Monitor and alert on unexpected changes to security feature state, logging availability, and protective-control health.
  • Prepare IR procedures for cases where monitoring may be impaired, including alternate evidence sources and escalation criteria.
Analyst notes and limits

The strongest decision value is not simply detecting exploitation, but proving that exploitation has not undermined the controls used to detect and respond. This object is an ICS detection strategy with a single stated relationship to T0820 and no supplied platforms, tactics, description, or detection content, so local architecture and telemetry determine practical coverage.

Official MITRE fields for this object are sparse: no official description, no official detection guidance, no specified platforms, and no specified tactics. The related T0820 description supports only conservative statements about exploiting software vulnerabilities to evade detection by disabling or circumventing security features. No active exploitation, attribution, impact, or guaranteed detection coverage is implied.

Official MITRE ATT&CK definition

Detection of Exploitation for Evasion

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
ICS T0820 Exploitation for Evasion This object detects Exploitation for Evasion.
Relationship explorer

All related ATT&CK context

detects · Technique T0820: Exploitation for Evasion ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
18bc3d3520d5b785...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 18bc3d3520d5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0795
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use