T1027.005 Splunk · SPL

Detect Indicator Removal from Tools in Splunk

Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems. This includes changing file hashes, removing strings identified by AV signatures, obfuscating known-malicious function names, or repacking detected malware. Cobalt Strike includes a built-in capability to modify Beacon payloads to eliminate known signatures. PowerSploit's Find-AVSignature module helps locate detectable byte sequences. Threat actors including UNC3886, OilRig, Turla, APT3, and Deep Panda have iteratively modified their tools in response to public detections.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.005 Indicator Removal from Tools
Canonical reference
https://attack.mitre.org/techniques/T1027/005/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval cmdline=lower(CommandLine)
| eval IsAVBypassTool=if(match(cmdline,
    "(find-avsignature|avbypass|shellter|veil-evasion|hyperion|confuserex|confuser|de4dot|pe-bear)"), 1, 0)
| eval IsPowerSploitAVBypass=if(match(cmdline, "find-avsignature"), 1, 0)
| eval IsObfuscatorTool=if(match(cmdline, "(confuserex|dnguard|dotfuscator|smartassembly)"), 1, 0)
| eval IsShellcodeInjector=if(match(cmdline, "(shellter|avet|venom|phantom-evasion)"), 1, 0)
| where IsAVBypassTool=1 OR IsPowerSploitAVBypass=1 OR IsObfuscatorTool=1 OR IsShellcodeInjector=1
| table _time, host, User, Image, CommandLine, ParentImage, IsAVBypassTool, IsPowerSploitAVBypass, IsObfuscatorTool, IsShellcodeInjector
| sort - _time
high severity medium confidence

Detects execution of AV bypass and signature removal tools using Sysmon Event ID 1. Categorizes detections into: AV bypass tools (generic), PowerSploit-specific AVBypass module, .NET obfuscators (ConfuserEx, DnGuard), and shellcode injection frameworks (Shellter). Any match on a non-developer, non-security research host warrants immediate investigation.

Data Sources

Process: Process CreationSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Security team workstations where red team tooling or malware analysis tools are legitimately installed
  • Penetration testing labs where Veil, Shellter, and similar tools are expected
  • Developer workstations using obfuscation tools for legitimate IP protection of commercial software
  • Security awareness training scenarios that demonstrate evasion tools
Download portable Sigma rule (.yml)

Other platforms for T1027.005

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Use PowerSploit Find-AVSignature to Locate Detectable Bytes

    Expected signal: Sysmon Event ID 3: Network connection to raw.githubusercontent.com. PowerShell ScriptBlock Log Event ID 4104: Find-AVSignature function definition and invocation. Sysmon Event ID 11: AV_results.txt created in %TEMP%. Multiple AV scanner invocations as it binary-searches the file.

  2. Test 2Obfuscate .NET Assembly with ConfuserEx

    Expected signal: Sysmon Event ID 1: PowerShell with Invoke-WebRequest, Expand-Archive, and Confuser.CLI.exe execution. Sysmon Event ID 3: Network connection to GitHub releases. Sysmon Event ID 11: confuserex.zip and extracted directory.

  3. Test 3Modify Binary Hash with Hex Editor (Byte Patching)

    Expected signal: Sysmon Event ID 2 (File Modification Timestamp): hash_test.exe modified. PowerShell ScriptBlock Log: byte array read/write operations and XOR on specific byte. The two certutil hash outputs will differ, demonstrating hash change.

  4. Test 4Use Shellter to Inject Shellcode into Legitimate PE

    Expected signal: Sysmon Event ID 1: PowerShell process creation. Sysmon Event ID 1: notepad.exe spawned by PowerShell. PowerShell ScriptBlock Log with simulated Shellter workflow description.

Last updated: 2026-04-13 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1027.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.001Binary PaddingT1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Related Techniques

T1027Obfuscated Files or InformationT1027.002Software PackingT1027.001Binary PaddingT1562.001Disable or Modify ToolsT1059.001PowerShellT1588.002ToolT1140Deobfuscate/Decode Files or Information

Same Tactic: Defense Evasion

Popular Detections