Detect Indicator Removal from Tools in Sumo Logic CSE
Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems. This includes changing file hashes, removing strings identified by AV signatures, obfuscating known-malicious function names, or repacking detected malware. Cobalt Strike includes a built-in capability to modify Beacon payloads to eliminate known signatures. PowerSploit's Find-AVSignature module helps locate detectable byte sequences. Threat actors including UNC3886, OilRig, Turla, APT3, and Deep Panda have iteratively modified their tools in response to public detections.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.005 Indicator Removal from Tools
- Canonical reference
- https://attack.mitre.org/techniques/T1027/005/
Sumo Detection Query
(_sourceCategory=*windows/sysmon* OR _sourceCategory=*wineventlog/security* OR _sourceCategory=*crowdstrike/falcon*)
| where EventID in ("1", "4688")
| parse field=CommandLine "*" as cmd_raw nodrop
| parse field=Image "*\\*" as _discard, process_basename nodrop
| toLowerCase(CommandLine) as cmd
| toLowerCase(process_basename) as proc
| where cmd matches "*find-avsignature*"
OR cmd matches "*avbypass*"
OR cmd matches "*defeatdefender*"
OR cmd matches "*invoke-avbypass*"
OR cmd matches "*confuserex*"
OR cmd matches "*confuser*"
OR cmd matches "*de4dot*"
OR cmd matches "*dnspy*"
OR cmd matches "*ilspy*"
OR cmd matches "*pe-bear*"
OR cmd matches "*pestudio*"
OR cmd matches "*hyperion*"
OR cmd matches "*veil-evasion*"
OR cmd matches "*shellter*"
OR cmd matches "*phantom-evasion*"
OR cmd matches "*smartassembly*"
OR cmd matches "*dnguard*"
OR proc matches "*de4dot*"
OR proc matches "*dnspy*"
OR proc matches "*pestudio*"
OR proc matches "*shellter*"
| if (cmd matches "*find-avsignature*" OR cmd matches "*invoke-avbypass*", "PowerSploit_AVBypass",
if (cmd matches "*confuserex*" OR cmd matches "*de4dot*" OR cmd matches "*smartassembly*" OR cmd matches "*dnguard*", "NET_Obfuscator",
if (cmd matches "*shellter*" OR cmd matches "*phantom-evasion*" OR cmd matches "*avet*", "Shellcode_Injector",
"PE_Manipulation_AV_Bypass"))) as detection_category
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, detection_category
| sort by _messageTime descDetects T1027.005 Indicator Removal from Tools in Sumo Logic by parsing Sysmon Event ID 1 and Security Event ID 4688 process creation logs for command lines and process image names matching AV bypass, .NET obfuscation, PE manipulation, and shellcode injection tools. Enriches each match with a detection category for downstream triage.
Data Sources
Required Tables
False Positives & Tuning
- Malware analysts on dedicated sandboxed workstations using ILSpy or de4dot to inspect suspicious samples as part of incident response — correlate with analyst hostnames and ITSM tickets
- Software vendors legitimately using obfuscation tools such as SmartAssembly or Dotfuscator as part of a CI/CD build pipeline — whitelist known build server hostnames
- CTF participants or security training environments where tool usage is expected and authorised — exclude by subnet or hostname prefix
Other platforms for T1027.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Use PowerSploit Find-AVSignature to Locate Detectable Bytes
Expected signal: Sysmon Event ID 3: Network connection to raw.githubusercontent.com. PowerShell ScriptBlock Log Event ID 4104: Find-AVSignature function definition and invocation. Sysmon Event ID 11: AV_results.txt created in %TEMP%. Multiple AV scanner invocations as it binary-searches the file.
- Test 2Obfuscate .NET Assembly with ConfuserEx
Expected signal: Sysmon Event ID 1: PowerShell with Invoke-WebRequest, Expand-Archive, and Confuser.CLI.exe execution. Sysmon Event ID 3: Network connection to GitHub releases. Sysmon Event ID 11: confuserex.zip and extracted directory.
- Test 3Modify Binary Hash with Hex Editor (Byte Patching)
Expected signal: Sysmon Event ID 2 (File Modification Timestamp): hash_test.exe modified. PowerShell ScriptBlock Log: byte array read/write operations and XOR on specific byte. The two certutil hash outputs will differ, demonstrating hash change.
- Test 4Use Shellter to Inject Shellcode into Legitimate PE
Expected signal: Sysmon Event ID 1: PowerShell process creation. Sysmon Event ID 1: notepad.exe spawned by PowerShell. PowerShell ScriptBlock Log with simulated Shellter workflow description.
References (4)
Unlock Pro Content
Get the full detection package for T1027.005 including response playbook, investigation guide, and atomic red team tests.