1. Home
  2. ATT&CK Techniques
  3. T1027.005 Indicator Removal from Tools

T1027.005 Indicator Removal from Tools

Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.

A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Downloader Downloader (pull updates or other malware) related-to T1027.005 Indicator Removal from Tools
action.malware.variety.Trojan An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' related-to T1027.005 Indicator Removal from Tools
action.social.variety.Phishing Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. related-to T1027.005 Indicator Removal from Tools
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. related-to T1027.005 Indicator Removal from Tools
action.social.vector.Email Email related-to T1027.005 Indicator Removal from Tools
action.social.vector.Social media Social media or networking related-to T1027.005 Indicator Removal from Tools

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service technique_scores T1027.005 Indicator Removal from Tools
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Find-AVSignature AntivirusBypass module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-app-service-introduction