T1027.005 Microsoft Sentinel · KQL

Detect Indicator Removal from Tools in Microsoft Sentinel

Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems. This includes changing file hashes, removing strings identified by AV signatures, obfuscating known-malicious function names, or repacking detected malware. Cobalt Strike includes a built-in capability to modify Beacon payloads to eliminate known signatures. PowerSploit's Find-AVSignature module helps locate detectable byte sequences. Threat actors including UNC3886, OilRig, Turla, APT3, and Deep Panda have iteratively modified their tools in response to public detections.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.005 Indicator Removal from Tools
Canonical reference
https://attack.mitre.org/techniques/T1027/005/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SigBypassTools = dynamic([
  "Find-AVSignature", "AVBypass", "DefeatDefender", "Invoke-AVBypass",
  "Confuser", "ConfuserEx", "de4dot", "dnspy", "ILSpy",
  "pe-bear", "CFF Explorer", "PE Studio", "pestudio",
  "hyperion", "Veil-Evasion", "Shellter"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (SigBypassTools)
    or FileName has_any (SigBypassTools)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
| union (
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where ActionType == "FileModified"
    | where FileName endswith ".exe" or FileName endswith ".dll"
    | where FolderPath !startswith "C:\\Windows\\"
        and FolderPath !startswith "C:\\Program Files\\"
    | where InitiatingProcessFileName !in~ ("MpCmdRun.exe", "MsMpEng.exe", "svchost.exe", "TrustedInstaller.exe")
    | extend SuspiciousModification = true
    | project Timestamp, DeviceName, FolderPath, FileName,
             InitiatingProcessFileName, InitiatingProcessCommandLine, SuspiciousModification
)
high severity medium confidence

Detects execution of known AV bypass and PE modification tools, and modification of PE files outside standard system directories. Adversaries use tools like Find-AVSignature (PowerSploit), ConfuserEx (.NET obfuscator), Shellter (shellcode injection into legitimate PEs), and de4dot (.NET deobfuscator) to iteratively modify their tools and remove AV-detectable signatures. Also surfaces unexpected PE file modifications in non-system locations.

Data Sources

Process: Process CreationFile: File ModificationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceFileEvents

False Positives & Tuning

  • Security researchers and red team members using PE analysis tools (PE Studio, CFF Explorer, dnSpy) for legitimate analysis
  • Malware analysts using de4dot or ILSpy for deobfuscation of samples in a lab environment
  • Software developers modifying their own compiled executables for debugging or patching
  • AV software itself modifying quarantined PE files (should be excluded by InitiatingProcessFileName)
Download portable Sigma rule (.yml)

Other platforms for T1027.005

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Use PowerSploit Find-AVSignature to Locate Detectable Bytes

    Expected signal: Sysmon Event ID 3: Network connection to raw.githubusercontent.com. PowerShell ScriptBlock Log Event ID 4104: Find-AVSignature function definition and invocation. Sysmon Event ID 11: AV_results.txt created in %TEMP%. Multiple AV scanner invocations as it binary-searches the file.

  2. Test 2Obfuscate .NET Assembly with ConfuserEx

    Expected signal: Sysmon Event ID 1: PowerShell with Invoke-WebRequest, Expand-Archive, and Confuser.CLI.exe execution. Sysmon Event ID 3: Network connection to GitHub releases. Sysmon Event ID 11: confuserex.zip and extracted directory.

  3. Test 3Modify Binary Hash with Hex Editor (Byte Patching)

    Expected signal: Sysmon Event ID 2 (File Modification Timestamp): hash_test.exe modified. PowerShell ScriptBlock Log: byte array read/write operations and XOR on specific byte. The two certutil hash outputs will differ, demonstrating hash change.

  4. Test 4Use Shellter to Inject Shellcode into Legitimate PE

    Expected signal: Sysmon Event ID 1: PowerShell process creation. Sysmon Event ID 1: notepad.exe spawned by PowerShell. PowerShell ScriptBlock Log with simulated Shellter workflow description.

Last updated: 2026-04-13 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1027.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.001Binary PaddingT1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Related Techniques

T1027Obfuscated Files or InformationT1027.002Software PackingT1027.001Binary PaddingT1562.001Disable or Modify ToolsT1059.001PowerShellT1588.002ToolT1140Deobfuscate/Decode Files or Information

Same Tactic: Defense Evasion

Popular Detections