Description
Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.
A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.
Platforms
Threat Groups (7)
| ID | Group | Context |
|---|---|---|
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has replaced atomic indicators mentioned in threat intelligence publications, sometimes as quickly as... |
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) apparently altered [NDiskMonitor](https://attack.mitre.org/software/S0272) samples by adding four b... |
| G0009 | Deep Panda | [Deep Panda](https://attack.mitre.org/groups/G0009) has updated and modified its malware, resulting in different hash values that evade detection.(Cit... |
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) ensured each payload had a unique hash, including by using different types of packers.(Citation: Cybe... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has tested malware samples to determine AV detection and subsequently modified the samples to ensure A... |
| G0010 | Turla | Based on comparison of [Gazer](https://attack.mitre.org/software/S0168) versions, [Turla](https://attack.mitre.org/groups/G0010) made an effort to obf... |
| G0022 | APT3 | [APT3](https://attack.mitre.org/groups/G0022) has been known to remove indicators of compromise from tools.(Citation: APT3 Adversary Emulation Plan) |
Associated Software (9)
| ID | Name | Type | Context |
|---|---|---|---|
| S0237 | GravityRAT | Malware | The author of [GravityRAT](https://attack.mitre.org/software/S0237) submitted samples to VirusTotal for testing, showing that the author modified the ... |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) includes a capability to modify the Beacon payload to eliminate known signatures or unpacking... |
| S0194 | PowerSploit | Tool | [PowerSploit](https://attack.mitre.org/software/S0194)'s <code>Find-AVSignature</code> AntivirusBypass module can be used to locate single byte anti-v... |
| S0587 | Penquin | Malware | [Penquin](https://attack.mitre.org/software/S0587) can remove strings from binaries.(Citation: Leonardo Turla Penquin May 2020) |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) can make small changes to itself in order to change its checksum and hash value.(Citation: Crowdstri... |
| S0579 | Waterbear | Malware | [Waterbear](https://attack.mitre.org/software/S0579) can scramble functions not to be executed again with random values.(Citation: Trend Micro Waterbe... |
| S0187 | Daserf | Malware | Analysis of [Daserf](https://attack.mitre.org/software/S0187) has shown that it regularly undergoes technical improvements to evade anti-virus detecti... |
| S0559 | SUNBURST | Malware | [SUNBURST](https://attack.mitre.org/software/S0559) source code used generic variable names and pre-obfuscated strings, and was likely sanitized of de... |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) has undergone regular technical improvements in an attempt to evade detection.(Citation: ESET In... |
Frequently Asked Questions
What is T1027.005 (Indicator Removal from Tools)?
T1027.005 is a MITRE ATT&CK technique named 'Indicator Removal from Tools'. It belongs to the Stealth tactic(s). Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the up...
How can T1027.005 be detected?
Detection of T1027.005 (Indicator Removal from Tools) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1027.005?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1027.005?
Known threat groups using T1027.005 include: UNC3886, Patchwork, Deep Panda, GALLIUM, OilRig, Turla, APT3.