There’s an opportunity to look for evasion as an IoC, just like you can look for fingerprinting activity as an early indicator…:
[…] Discovery and defense evasion were the predominant attacker tactics observed in 2019, a team of researchers report in a new ranking of common MITRE ATT&CK tactics used in the past year.
In 2019, Recorded Future’s Insikt Group began to integrate data on attack tactics, techniques, and procedures (TTPs) based on the MITRE ATT&CK framework into its data collection and analysis. Researchers reviewed the identifiers across sandbox submissions throughout the year and compiled a list of the most frequently referenced tactics and techniques. Defense evasion dominated tactics, and security software discovery is the most popular technique for doing it.
“There were really three main takeaways we saw based on this data,” says David Carver, manager and analyst for on-demand services at Recorded Future. “Either we’re looking at criminals becoming more interested in the defense perspective, or security tools are getting better, or both. We don’t have evidence to lead one way or the other, but I suspect it’s both.”