Detect Indicator Removal from Tools in Google Chronicle
Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems. This includes changing file hashes, removing strings identified by AV signatures, obfuscating known-malicious function names, or repacking detected malware. Cobalt Strike includes a built-in capability to modify Beacon payloads to eliminate known signatures. PowerSploit's Find-AVSignature module helps locate detectable byte sequences. Threat actors including UNC3886, OilRig, Turla, APT3, and Deep Panda have iteratively modified their tools in response to public detections.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.005 Indicator Removal from Tools
- Canonical reference
- https://attack.mitre.org/techniques/T1027/005/
YARA-L Detection Query
rule t1027_005_indicator_removal_from_tools {
meta:
author = "Argus Detection Engineering"
description = "Detects T1027.005 - Indicator Removal from Tools via execution of known AV bypass, .NET obfuscation, PE manipulation, and shellcode injection utilities"
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1027.005"
mitre_attack_url = "https://attack.mitre.org/techniques/T1027/005/"
severity = "HIGH"
priority = "HIGH"
confidence = "MEDIUM"
version = "1.0"
created = "2026-04-13"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($e.target.process.command_line,
`(?i)(find-avsignature|invoke-avbypass|avbypass|defeatdefender|confuserex|confuser(?!ex)|de4dot|dnspy|ilspy|pe-bear|cff.explorer|pestudio|hyperion|veil-evasion|shellter|avet|venom(?!om)|phantom-evasion|dnguard|dotfuscator|smartassembly)`)
or
re.regex($e.target.process.file.full_path,
`(?i)(confuserex|de4dot|dnspy|ilspy|pe-bear|pestudio|hyperion|shellter)`)
)
$e.principal.hostname = $hostname
$e.principal.user.userid = $user
match:
$hostname, $user over 5m
outcome:
$risk_score = max(
if(re.regex($e.target.process.command_line, `(?i)(find-avsignature|invoke-avbypass)`), 85,
if(re.regex($e.target.process.command_line, `(?i)(shellter|phantom-evasion|avet)`), 90,
if(re.regex($e.target.process.command_line, `(?i)(confuserex|de4dot)`), 75, 70)))
)
$detection_category = array_distinct(
if(re.regex($e.target.process.command_line, `(?i)(find-avsignature|invoke-avbypass|avbypass)`) , "PowerSploit_AV_Bypass",
if(re.regex($e.target.process.command_line, `(?i)(confuserex|confuser|de4dot|dnspy|ilspy|dnguard|smartassembly)`), "NET_Obfuscator_Tool",
if(re.regex($e.target.process.command_line, `(?i)(shellter|avet|venom|phantom-evasion)`), "Shellcode_Injector",
"PE_Manipulation_Tool")))
)
$process_count = count_distinct($e.target.process.pid)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1027.005 Indicator Removal from Tools by matching process launch UDM events where command line or full process path contains known AV bypass tools (Find-AVSignature, Shellter), .NET obfuscators (ConfuserEx, de4dot), PE editors (PE Studio, PE-bear), and shellcode injectors. Computes a risk score and detection category per matched event for SIEM triage.
Data Sources
Required Tables
False Positives & Tuning
- Security research environments where analysts legitimately use reverse engineering tools — create reference lists of trusted analyst hostnames and exclude via Chronicle reference list lookups
- Software build pipelines using ConfuserEx or SmartAssembly for code protection — whitelist CI/CD server principal hostnames in the rule condition
- Red team or penetration testing activities on pre-authorised targets — correlate against authorised engagement windows in a Chronicle reference list
Other platforms for T1027.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Use PowerSploit Find-AVSignature to Locate Detectable Bytes
Expected signal: Sysmon Event ID 3: Network connection to raw.githubusercontent.com. PowerShell ScriptBlock Log Event ID 4104: Find-AVSignature function definition and invocation. Sysmon Event ID 11: AV_results.txt created in %TEMP%. Multiple AV scanner invocations as it binary-searches the file.
- Test 2Obfuscate .NET Assembly with ConfuserEx
Expected signal: Sysmon Event ID 1: PowerShell with Invoke-WebRequest, Expand-Archive, and Confuser.CLI.exe execution. Sysmon Event ID 3: Network connection to GitHub releases. Sysmon Event ID 11: confuserex.zip and extracted directory.
- Test 3Modify Binary Hash with Hex Editor (Byte Patching)
Expected signal: Sysmon Event ID 2 (File Modification Timestamp): hash_test.exe modified. PowerShell ScriptBlock Log: byte array read/write operations and XOR on specific byte. The two certutil hash outputs will differ, demonstrating hash change.
- Test 4Use Shellter to Inject Shellcode into Legitimate PE
Expected signal: Sysmon Event ID 1: PowerShell process creation. Sysmon Event ID 1: notepad.exe spawned by PowerShell. PowerShell ScriptBlock Log with simulated Shellter workflow description.
References (4)
Unlock Pro Content
Get the full detection package for T1027.005 including response playbook, investigation guide, and atomic red team tests.