title: Indicator Removal from Tools (T1027.005)
id: df00tech-t1027-005
status: experimental
description: "Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems. This includes changing file hashes, removing strings identified by AV signatures, obfuscating known-malicious function names, or repacking detected malware. Cobalt Strike includes a built-in capability to modify Beacon payloads to eliminate known signatures. PowerSploit's Find-AVSignature module helps locate detectable byte sequences. Threat actors including UNC3886, OilRig, Turla, APT3, and Deep Panda have iteratively modified their tools in response to public detections."
references:
  - https://attack.mitre.org/techniques/T1027/005/
  - https://df00tech.com/detections/T1027.005
author: df00tech
date: 2026/04/13
tags:
  - attack.t1027.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Security researchers and red team members using PE analysis tools (PE Studio, CFF Explorer, dnSpy) for legitimate analysis"
  - Malware analysts using de4dot or ILSpy for deobfuscation of samples in a lab environment
  - Software developers modifying their own compiled executables for debugging or patching
  - AV software itself modifying quarantined PE files (should be excluded by InitiatingProcessFileName)
level: high