Detect Indicator Removal from Tools in CrowdStrike LogScale
Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems. This includes changing file hashes, removing strings identified by AV signatures, obfuscating known-malicious function names, or repacking detected malware. Cobalt Strike includes a built-in capability to modify Beacon payloads to eliminate known signatures. PowerSploit's Find-AVSignature module helps locate detectable byte sequences. Threat actors including UNC3886, OilRig, Turla, APT3, and Deep Panda have iteratively modified their tools in response to public detections.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.005 Indicator Removal from Tools
- Canonical reference
- https://attack.mitre.org/techniques/T1027/005/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| CommandLine = /(?i)(find-avsignature|invoke-avbypass|avbypass|defeatdefender|confuserex|confuser|de4dot|dnspy|ilspy|pe-bear|pestudio|hyperion|veil-evasion|shellter|phantom-evasion|avet|dnguard|smartassembly)/
OR ImageFileName = /(?i)(confuserex|de4dot\.exe|dnspy|ilspy|pe-bear|pestudio|shellter\.exe|hyperion)/
| eval detection_category := case(
CommandLine = /(?i)(find-avsignature|invoke-avbypass|avbypass|defeatdefender)/, "PowerSploit_AV_Bypass",
CommandLine = /(?i)(confuserex|confuser|de4dot|dnspy|ilspy|dnguard|smartassembly)/, "NET_Obfuscator_Tool",
CommandLine = /(?i)(shellter|phantom-evasion|avet)/, "Shellcode_Injector",
"PE_Manipulation_Tool"
)
| eval short_image := replace(ImageFileName, /.*\\/, "")
| table([_time, ComputerName, UserName, short_image, CommandLine, ParentProcessId, detection_category])
| sort(field=_time, order=desc)
// Companion rule — suspicious EXE/DLL modification outside system paths (Sysmon-equivalent via FDR)
// Uncomment to union:
// | union [
// #event_simpleName=AsepValueUpdate OR #event_simpleName=PeFileWritten
// | TargetFileName = /(?i)\.(exe|dll)$/
// | not TargetFileName = /(?i)(C:\\Windows\\|C:\\Program Files\\)/
// | not ImageFileName = /(?i)(MpCmdRun\.exe|MsMpEng\.exe|svchost\.exe|TrustedInstaller\.exe)/
// | table([_time, ComputerName, UserName, TargetFileName, ImageFileName])
// ]Detects T1027.005 Indicator Removal from Tools in CrowdStrike LogScale (Humio/Falcon Data Replicator) by searching ProcessRollup2 events for command lines and image file names matching known AV bypass, .NET obfuscation, PE manipulation, and shellcode injection tools. Includes a commented companion rule for suspicious EXE/DLL file writes outside system paths using FDR file write events.
Data Sources
Required Tables
False Positives & Tuning
- Authorised red team operators running Cobalt Strike beacon modification or Shellter on approved pentest infrastructure — correlate ComputerName against authorised asset lists in Falcon's custom IOA exclusions
- Malware reverse engineers on isolated Falcon-managed analysis workstations using dnSpy or ILSpy — create process-level exclusions scoped to specific Device Groups in Falcon console
- DevOps teams running ConfuserEx or SmartAssembly inside CI/CD pipelines on build agents — exclude by hostname pattern or Falcon host group assignment
Other platforms for T1027.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Use PowerSploit Find-AVSignature to Locate Detectable Bytes
Expected signal: Sysmon Event ID 3: Network connection to raw.githubusercontent.com. PowerShell ScriptBlock Log Event ID 4104: Find-AVSignature function definition and invocation. Sysmon Event ID 11: AV_results.txt created in %TEMP%. Multiple AV scanner invocations as it binary-searches the file.
- Test 2Obfuscate .NET Assembly with ConfuserEx
Expected signal: Sysmon Event ID 1: PowerShell with Invoke-WebRequest, Expand-Archive, and Confuser.CLI.exe execution. Sysmon Event ID 3: Network connection to GitHub releases. Sysmon Event ID 11: confuserex.zip and extracted directory.
- Test 3Modify Binary Hash with Hex Editor (Byte Patching)
Expected signal: Sysmon Event ID 2 (File Modification Timestamp): hash_test.exe modified. PowerShell ScriptBlock Log: byte array read/write operations and XOR on specific byte. The two certutil hash outputs will differ, demonstrating hash change.
- Test 4Use Shellter to Inject Shellcode into Legitimate PE
Expected signal: Sysmon Event ID 1: PowerShell process creation. Sysmon Event ID 1: notepad.exe spawned by PowerShell. PowerShell ScriptBlock Log with simulated Shellter workflow description.
References (4)
Unlock Pro Content
Get the full detection package for T1027.005 including response playbook, investigation guide, and atomic red team tests.