Detect Indicator Removal from Tools in IBM QRadar
Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems. This includes changing file hashes, removing strings identified by AV signatures, obfuscating known-malicious function names, or repacking detected malware. Cobalt Strike includes a built-in capability to modify Beacon payloads to eliminate known signatures. PowerSploit's Find-AVSignature module helps locate detectable byte sequences. Threat actors including UNC3886, OilRig, Turla, APT3, and Deep Panda have iteratively modified their tools in response to public detections.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.005 Indicator Removal from Tools
- Canonical reference
- https://attack.mitre.org/techniques/T1027/005/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
LOGSOURCENAME(logsourceid) AS log_source,
username,
sourceip,
"Process Name" AS process_name,
"Command" AS command_line,
"Parent Process" AS parent_process,
QIDNAME(qid) AS event_name,
CASE
WHEN LOWER("Command") MATCHES '(find-avsignature|invoke-avbypass|avbypass|defeatdefender)' THEN 'PowerSploit_AV_Bypass'
WHEN LOWER("Command") MATCHES '(confuserex|confuser|de4dot|dnspy|ilspy|dnguard|dotfuscator|smartassembly)' THEN 'NET_Obfuscator_Tool'
WHEN LOWER("Command") MATCHES '(shellter|avet|venom|phantom-evasion)' THEN 'Shellcode_Injector'
WHEN LOWER("Command") MATCHES '(pe-bear|cff explorer|pestudio|hyperion|veil-evasion)' THEN 'PE_Manipulation_Tool'
ELSE 'AV_Bypass_Generic'
END AS detection_category
FROM events
WHERE devicetime > NOW() - 86400000
AND (
LOWER("Command") MATCHES '(find-avsignature|avbypass|defeatdefender|invoke-avbypass|confuserex|confuser|de4dot|dnspy|ilspy|pe-bear|pestudio|hyperion|veil-evasion|shellter|avet|venom|phantom-evasion|dnguard|dotfuscator|smartassembly)'
OR LOWER("Process Name") MATCHES '(confuserex|de4dot|dnspy|ilspy|pe-bear|pestudio|hyperion|shellter)'
)
AND LOGSOURCETYPEID IN (12, 13, 352)
ORDER BY devicetime DESC
LIMIT 500Detects T1027.005 Indicator Removal from Tools in QRadar by querying process creation events from Windows Security, Sysmon, and endpoint log sources for command lines and process names matching known AV bypass, obfuscation, PE manipulation, and shellcode injection tools. Categorises detections by tool type for triage prioritisation.
Data Sources
Required Tables
False Positives & Tuning
- Security operations analysts performing authorised malware triage using reverse engineering tools (ILSpy, dnSpy, PE Studio) on isolated analysis VMs
- DevSecOps pipelines legitimately running ConfuserEx or SmartAssembly to protect proprietary .NET assemblies before release
- Penetration testers or red team operators running authorised engagements — correlate with change management records and source IP against known pentest infrastructure
Other platforms for T1027.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Use PowerSploit Find-AVSignature to Locate Detectable Bytes
Expected signal: Sysmon Event ID 3: Network connection to raw.githubusercontent.com. PowerShell ScriptBlock Log Event ID 4104: Find-AVSignature function definition and invocation. Sysmon Event ID 11: AV_results.txt created in %TEMP%. Multiple AV scanner invocations as it binary-searches the file.
- Test 2Obfuscate .NET Assembly with ConfuserEx
Expected signal: Sysmon Event ID 1: PowerShell with Invoke-WebRequest, Expand-Archive, and Confuser.CLI.exe execution. Sysmon Event ID 3: Network connection to GitHub releases. Sysmon Event ID 11: confuserex.zip and extracted directory.
- Test 3Modify Binary Hash with Hex Editor (Byte Patching)
Expected signal: Sysmon Event ID 2 (File Modification Timestamp): hash_test.exe modified. PowerShell ScriptBlock Log: byte array read/write operations and XOR on specific byte. The two certutil hash outputs will differ, demonstrating hash change.
- Test 4Use Shellter to Inject Shellcode into Legitimate PE
Expected signal: Sysmon Event ID 1: PowerShell process creation. Sysmon Event ID 1: notepad.exe spawned by PowerShell. PowerShell ScriptBlock Log with simulated Shellter workflow description.
References (4)
Unlock Pro Content
Get the full detection package for T1027.005 including response playbook, investigation guide, and atomic red team tests.