T1027.005

Indicator Removal from Tools

Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems. This includes changing file hashes, removing strings identified by AV signatures, obfuscating known-malicious function names, or repacking detected malware. Cobalt Strike includes a built-in capability to modify Beacon payloads to eliminate known signatures. PowerSploit's Find-AVSignature module helps locate detectable byte sequences. Threat actors including UNC3886, OilRig, Turla, APT3, and Deep Panda have iteratively modified their tools in response to public detections.

Microsoft Sentinel / Defender

kusto

let SigBypassTools = dynamic([
  "Find-AVSignature", "AVBypass", "DefeatDefender", "Invoke-AVBypass",
  "Confuser", "ConfuserEx", "de4dot", "dnspy", "ILSpy",
  "pe-bear", "CFF Explorer", "PE Studio", "pestudio",
  "hyperion", "Veil-Evasion", "Shellter"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (SigBypassTools)
    or FileName has_any (SigBypassTools)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
| union (
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where ActionType == "FileModified"
    | where FileName endswith ".exe" or FileName endswith ".dll"
    | where FolderPath !startswith "C:\\Windows\\"
        and FolderPath !startswith "C:\\Program Files\\"
    | where InitiatingProcessFileName !in~ ("MpCmdRun.exe", "MsMpEng.exe", "svchost.exe", "TrustedInstaller.exe")
    | extend SuspiciousModification = true
    | project Timestamp, DeviceName, FolderPath, FileName,
             InitiatingProcessFileName, InitiatingProcessCommandLine, SuspiciousModification
)

high severity medium confidence

Data Sources

Process: Process Creation File: File Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Security researchers and red team members using PE analysis tools (PE Studio, CFF Explorer, dnSpy) for legitimate analysis
Malware analysts using de4dot or ILSpy for deobfuscation of samples in a lab environment
Software developers modifying their own compiled executables for debugging or patching
AV software itself modifying quarantined PE files (should be excluded by InitiatingProcessFileName)

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and event.type : ("start", "process_started") and
    (
      process.name like~ "*confuser*" or process.name like~ "*de4dot*" or
      process.name like~ "*dnspy*" or process.name like~ "*pestudio*" or
      process.name like~ "*pe-bear*" or process.name like~ "*shellter*" or
      process.command_line like~ "*find-avsignature*" or
      process.command_line like~ "*avbypass*" or
      process.command_line like~ "*defeatdefender*" or
      process.command_line like~ "*invoke-avbypass*" or
      process.command_line like~ "*confuserex*" or
      process.command_line like~ "*de4dot*" or
      process.command_line like~ "*dnspy*" or
      process.command_line like~ "*ilspy*" or
      process.command_line like~ "*hyperion*" or
      process.command_line like~ "*veil-evasion*" or
      process.command_line like~ "*shellter*" or
      process.command_line like~ "*phantom-evasion*" or
      process.command_line like~ "*smartassembly*" or
      process.command_line like~ "*dnguard*"
    )
  ) or
  (
    event.category == "file" and event.type == "change" and
    file.extension in ("exe", "dll") and
    not file.path like "C:\\Windows\\*" and
    not file.path like "C:\\Program Files\\*" and
    not file.path like "C:\\Program Files (x86)\\*" and
    not process.name in~ ("MpCmdRun.exe", "MsMpEng.exe", "svchost.exe", "TrustedInstaller.exe", "wuauclt.exe", "WerFault.exe")
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security Windows Event Logs via Elastic Agent Sysmon via Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* logs-windows.sysmon_operational-*

False Positives

Legitimate reverse engineering or malware analysis by security researchers using tools like dnSpy, ILSpy, or PE Studio on dedicated analysis workstations
Software developers using de4dot for legitimate deobfuscation of third-party .NET libraries they have rights to inspect
Automated build systems using ConfuserEx to legitimately obfuscate proprietary .NET application code for IP protection

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  username,
  sourceip,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process" AS parent_process,
  QIDNAME(qid) AS event_name,
  CASE
    WHEN LOWER("Command") MATCHES '(find-avsignature|invoke-avbypass|avbypass|defeatdefender)' THEN 'PowerSploit_AV_Bypass'
    WHEN LOWER("Command") MATCHES '(confuserex|confuser|de4dot|dnspy|ilspy|dnguard|dotfuscator|smartassembly)' THEN 'NET_Obfuscator_Tool'
    WHEN LOWER("Command") MATCHES '(shellter|avet|venom|phantom-evasion)' THEN 'Shellcode_Injector'
    WHEN LOWER("Command") MATCHES '(pe-bear|cff explorer|pestudio|hyperion|veil-evasion)' THEN 'PE_Manipulation_Tool'
    ELSE 'AV_Bypass_Generic'
  END AS detection_category
FROM events
WHERE devicetime > NOW() - 86400000
  AND (
    LOWER("Command") MATCHES '(find-avsignature|avbypass|defeatdefender|invoke-avbypass|confuserex|confuser|de4dot|dnspy|ilspy|pe-bear|pestudio|hyperion|veil-evasion|shellter|avet|venom|phantom-evasion|dnguard|dotfuscator|smartassembly)'
    OR LOWER("Process Name") MATCHES '(confuserex|de4dot|dnspy|ilspy|pe-bear|pestudio|hyperion|shellter)'
  )
  AND LOGSOURCETYPEID IN (12, 13, 352)
ORDER BY devicetime DESC
LIMIT 500

high severity medium confidence

Data Sources

Windows Security Event Log (LOGSOURCETYPEID 12) Microsoft Sysmon (LOGSOURCETYPEID 352) Windows System Event Log (LOGSOURCETYPEID 13)

Required Tables

events

False Positives

Security operations analysts performing authorised malware triage using reverse engineering tools (ILSpy, dnSpy, PE Studio) on isolated analysis VMs
DevSecOps pipelines legitimately running ConfuserEx or SmartAssembly to protect proprietary .NET assemblies before release
Penetration testers or red team operators running authorised engagements — correlate with change management records and source IP against known pentest infrastructure

Sumo Logic CSE

sql

(_sourceCategory=*windows/sysmon* OR _sourceCategory=*wineventlog/security* OR _sourceCategory=*crowdstrike/falcon*)
| where EventID in ("1", "4688")
| parse field=CommandLine "*" as cmd_raw nodrop
| parse field=Image "*\\*" as _discard, process_basename nodrop
| toLowerCase(CommandLine) as cmd
| toLowerCase(process_basename) as proc
| where cmd matches "*find-avsignature*"
   OR cmd matches "*avbypass*"
   OR cmd matches "*defeatdefender*"
   OR cmd matches "*invoke-avbypass*"
   OR cmd matches "*confuserex*"
   OR cmd matches "*confuser*"
   OR cmd matches "*de4dot*"
   OR cmd matches "*dnspy*"
   OR cmd matches "*ilspy*"
   OR cmd matches "*pe-bear*"
   OR cmd matches "*pestudio*"
   OR cmd matches "*hyperion*"
   OR cmd matches "*veil-evasion*"
   OR cmd matches "*shellter*"
   OR cmd matches "*phantom-evasion*"
   OR cmd matches "*smartassembly*"
   OR cmd matches "*dnguard*"
   OR proc matches "*de4dot*"
   OR proc matches "*dnspy*"
   OR proc matches "*pestudio*"
   OR proc matches "*shellter*"
| if (cmd matches "*find-avsignature*" OR cmd matches "*invoke-avbypass*", "PowerSploit_AVBypass",
    if (cmd matches "*confuserex*" OR cmd matches "*de4dot*" OR cmd matches "*smartassembly*" OR cmd matches "*dnguard*", "NET_Obfuscator",
    if (cmd matches "*shellter*" OR cmd matches "*phantom-evasion*" OR cmd matches "*avet*", "Shellcode_Injector",
    "PE_Manipulation_AV_Bypass"))) as detection_category
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, detection_category
| sort by _messageTime desc

high severity medium confidence

Data Sources

Windows Sysmon via Sumo Logic collector Windows Security Event Log via Sumo Logic collector CrowdStrike Falcon via Sumo Logic Cloud-to-Cloud source

Required Tables

_sourceCategory=*windows/sysmon* _sourceCategory=*wineventlog/security*

False Positives

Malware analysts on dedicated sandboxed workstations using ILSpy or de4dot to inspect suspicious samples as part of incident response — correlate with analyst hostnames and ITSM tickets
Software vendors legitimately using obfuscation tools such as SmartAssembly or Dotfuscator as part of a CI/CD build pipeline — whitelist known build server hostnames
CTF participants or security training environments where tool usage is expected and authorised — exclude by subnet or hostname prefix

Google Chronicle / SecOps

yaral

rule t1027_005_indicator_removal_from_tools {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1027.005 - Indicator Removal from Tools via execution of known AV bypass, .NET obfuscation, PE manipulation, and shellcode injection utilities"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.005"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1027/005/"
    severity = "HIGH"
    priority = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.command_line,
        `(?i)(find-avsignature|invoke-avbypass|avbypass|defeatdefender|confuserex|confuser(?!ex)|de4dot|dnspy|ilspy|pe-bear|cff.explorer|pestudio|hyperion|veil-evasion|shellter|avet|venom(?!om)|phantom-evasion|dnguard|dotfuscator|smartassembly)`)
      or
      re.regex($e.target.process.file.full_path,
        `(?i)(confuserex|de4dot|dnspy|ilspy|pe-bear|pestudio|hyperion|shellter)`)
    )
    $e.principal.hostname = $hostname
    $e.principal.user.userid = $user

  match:
    $hostname, $user over 5m

  outcome:
    $risk_score = max(
      if(re.regex($e.target.process.command_line, `(?i)(find-avsignature|invoke-avbypass)`), 85,
      if(re.regex($e.target.process.command_line, `(?i)(shellter|phantom-evasion|avet)`), 90,
      if(re.regex($e.target.process.command_line, `(?i)(confuserex|de4dot)`), 75, 70)))
    )
    $detection_category = array_distinct(
      if(re.regex($e.target.process.command_line, `(?i)(find-avsignature|invoke-avbypass|avbypass)`) , "PowerSploit_AV_Bypass",
      if(re.regex($e.target.process.command_line, `(?i)(confuserex|confuser|de4dot|dnspy|ilspy|dnguard|smartassembly)`), "NET_Obfuscator_Tool",
      if(re.regex($e.target.process.command_line, `(?i)(shellter|avet|venom|phantom-evasion)`), "Shellcode_Injector",
      "PE_Manipulation_Tool")))
    )
    $process_count = count_distinct($e.target.process.pid)

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle UDM via Windows Event Forwarding Chronicle Ingestion API with Sysmon parser CrowdStrike Falcon Chronicle integration

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Security research environments where analysts legitimately use reverse engineering tools — create reference lists of trusted analyst hostnames and exclude via Chronicle reference list lookups
Software build pipelines using ConfuserEx or SmartAssembly for code protection — whitelist CI/CD server principal hostnames in the rule condition
Red team or penetration testing activities on pre-authorised targets — correlate against authorised engagement windows in a Chronicle reference list

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| CommandLine = /(?i)(find-avsignature|invoke-avbypass|avbypass|defeatdefender|confuserex|confuser|de4dot|dnspy|ilspy|pe-bear|pestudio|hyperion|veil-evasion|shellter|phantom-evasion|avet|dnguard|smartassembly)/
  OR ImageFileName = /(?i)(confuserex|de4dot\.exe|dnspy|ilspy|pe-bear|pestudio|shellter\.exe|hyperion)/
| eval detection_category := case(
    CommandLine = /(?i)(find-avsignature|invoke-avbypass|avbypass|defeatdefender)/, "PowerSploit_AV_Bypass",
    CommandLine = /(?i)(confuserex|confuser|de4dot|dnspy|ilspy|dnguard|smartassembly)/, "NET_Obfuscator_Tool",
    CommandLine = /(?i)(shellter|phantom-evasion|avet)/, "Shellcode_Injector",
    "PE_Manipulation_Tool"
  )
| eval short_image := replace(ImageFileName, /.*\\/, "")
| table([_time, ComputerName, UserName, short_image, CommandLine, ParentProcessId, detection_category])
| sort(field=_time, order=desc)

// Companion rule — suspicious EXE/DLL modification outside system paths (Sysmon-equivalent via FDR)
// Uncomment to union:
// | union [
//   #event_simpleName=AsepValueUpdate OR #event_simpleName=PeFileWritten
//   | TargetFileName = /(?i)\.(exe|dll)$/
//   | not TargetFileName = /(?i)(C:\\Windows\\|C:\\Program Files\\)/
//   | not ImageFileName = /(?i)(MpCmdRun\.exe|MsMpEng\.exe|svchost\.exe|TrustedInstaller\.exe)/
//   | table([_time, ComputerName, UserName, TargetFileName, ImageFileName])
// ]

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2 via FDR) CrowdStrike Falcon Data Replicator (FDR) file write events CrowdStrike Falcon Real-time Response telemetry

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=PeFileWritten (optional companion rule)

False Positives

Authorised red team operators running Cobalt Strike beacon modification or Shellter on approved pentest infrastructure — correlate ComputerName against authorised asset lists in Falcon's custom IOA exclusions
Malware reverse engineers on isolated Falcon-managed analysis workstations using dnSpy or ILSpy — create process-level exclusions scoped to specific Device Groups in Falcon console
DevOps teams running ConfuserEx or SmartAssembly inside CI/CD pipelines on build agents — exclude by hostname pattern or Falcon host group assignment

Last updated: 2026-04-13 Research depth: deep

References (4)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1027.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Indicator Removal from Tools

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections