Which SIEM platforms have a T1027.005 detection rule?

df00tech provides T1027.005 (Indicator Removal from Tools) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Indicator Removal from Tools (T1027.005)?

Detecting Indicator Removal from Tools requires the following data sources: Process: Process Creation, File: File Modification, Microsoft Defender for Endpoint.

What severity and confidence is the T1027.005 detection?

The T1027.005 detection is rated high severity with medium confidence.

What are common false positives for T1027.005?

Common false positives for T1027.005 include: Security researchers and red team members using PE analysis tools (PE Studio, CFF Explorer, dnSpy) for legitimate analysis; Malware analysts using de4dot or ILSpy for deobfuscation of samples in a lab environment; Software developers modifying their own compiled executables for debugging or patching.

T1027.005 Elastic Security · Elastic

Detect Indicator Removal from Tools in Elastic Security

Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems. This includes changing file hashes, removing strings identified by AV signatures, obfuscating known-malicious function names, or repacking detected malware. Cobalt Strike includes a built-in capability to modify Beacon payloads to eliminate known signatures. PowerSploit's Find-AVSignature module helps locate detectable byte sequences. Threat actors including UNC3886, OilRig, Turla, APT3, and Deep Panda have iteratively modified their tools in response to public detections.

MITRE ATT&CK

Tactic: Defense Evasion
Technique: T1027 Obfuscated Files or Information
Sub-technique: T1027.005 Indicator Removal from Tools
Canonical reference: https://attack.mitre.org/techniques/T1027/005/

Elastic Detection Query

Elastic Security (Elastic)

eql

any where
  (
    event.category == "process" and event.type : ("start", "process_started") and
    (
      process.name like~ "*confuser*" or process.name like~ "*de4dot*" or
      process.name like~ "*dnspy*" or process.name like~ "*pestudio*" or
      process.name like~ "*pe-bear*" or process.name like~ "*shellter*" or
      process.command_line like~ "*find-avsignature*" or
      process.command_line like~ "*avbypass*" or
      process.command_line like~ "*defeatdefender*" or
      process.command_line like~ "*invoke-avbypass*" or
      process.command_line like~ "*confuserex*" or
      process.command_line like~ "*de4dot*" or
      process.command_line like~ "*dnspy*" or
      process.command_line like~ "*ilspy*" or
      process.command_line like~ "*hyperion*" or
      process.command_line like~ "*veil-evasion*" or
      process.command_line like~ "*shellter*" or
      process.command_line like~ "*phantom-evasion*" or
      process.command_line like~ "*smartassembly*" or
      process.command_line like~ "*dnguard*"
    )
  ) or
  (
    event.category == "file" and event.type == "change" and
    file.extension in ("exe", "dll") and
    not file.path like "C:\\Windows\\*" and
    not file.path like "C:\\Program Files\\*" and
    not file.path like "C:\\Program Files (x86)\\*" and
    not process.name in~ ("MpCmdRun.exe", "MsMpEng.exe", "svchost.exe", "TrustedInstaller.exe", "wuauclt.exe", "WerFault.exe")
  )

high severity medium confidence

Detects T1027.005 Indicator Removal from Tools by identifying execution of known AV bypass, .NET obfuscation, PE manipulation, and shellcode injection utilities via process command line and name matching, plus suspicious modification of executable/DLL files outside trusted system paths by non-AV processes.

Data Sources

Elastic Endpoint SecurityWindows Event Logs via Elastic AgentSysmon via Elastic Agent

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*logs-windows.sysmon_operational-*

False Positives & Tuning

Legitimate reverse engineering or malware analysis by security researchers using tools like dnSpy, ILSpy, or PE Studio on dedicated analysis workstations
Software developers using de4dot for legitimate deobfuscation of third-party .NET libraries they have rights to inspect
Automated build systems using ConfuserEx to legitimately obfuscate proprietary .NET application code for IP protection

Download portable Sigma rule (.yml)

Other platforms for T1027.005

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Use PowerSploit Find-AVSignature to Locate Detectable Bytes
Expected signal: Sysmon Event ID 3: Network connection to raw.githubusercontent.com. PowerShell ScriptBlock Log Event ID 4104: Find-AVSignature function definition and invocation. Sysmon Event ID 11: AV_results.txt created in %TEMP%. Multiple AV scanner invocations as it binary-searches the file.
Test 2Obfuscate .NET Assembly with ConfuserEx
Expected signal: Sysmon Event ID 1: PowerShell with Invoke-WebRequest, Expand-Archive, and Confuser.CLI.exe execution. Sysmon Event ID 3: Network connection to GitHub releases. Sysmon Event ID 11: confuserex.zip and extracted directory.
Test 3Modify Binary Hash with Hex Editor (Byte Patching)
Expected signal: Sysmon Event ID 2 (File Modification Timestamp): hash_test.exe modified. PowerShell ScriptBlock Log: byte array read/write operations and XOR on specific byte. The two certutil hash outputs will differ, demonstrating hash change.
Test 4Use Shellter to Inject Shellcode into Legitimate PE
Expected signal: Sysmon Event ID 1: PowerShell process creation. Sysmon Event ID 1: notepad.exe spawned by PowerShell. PowerShell ScriptBlock Log with simulated Shellter workflow description.

Last updated: 2026-04-13 Research depth: deep

References (4)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1027.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detect Indicator Removal from Tools in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1027.005

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1027.005

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox