detection.wiki

ATT&CK coverage › Technique

Obfuscated Files or Information: Indicator Removal from Tools T1027.005

Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.

Events covered

5 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4656A handle to an object was requested.
Security-Auditing4658The handle to an object was closed.
Security-Auditing4663An attempt was made to access an object.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 6 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (8 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image3ends_with 3\powershell.exe, \pwsh.exe, \DefenderCheck.exe, \rcedit-x64.exe, \rcedit-x86.exe
CommandLine2match 2( $env:Public[13]+$env:Public[5]+'x'), join*split, ( $ShellId[1]+$ShellId[13]+'x'), ProductVersion, CompanyName
Description2eq 2DefenderCheck, Edit resources of exe
ScriptBlockText2eq 2"*Threading.Mutex*", "*Enable-WindowsOptionalFeature*", "*SMB1Protocol*"
EventID2eq 24104
OriginalFileName1eq 1PowerShell.EXE, pwsh.dll
ObjectName1ends_with 1.AAA, .ZZZ
Product1eq 1rcedit

Top indicator values (29 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
EventIDeq41042108
CommandLinematch( $ShellId[1]+$ShellId[13]+'x')1
Imageends_with\powershell.exe1143
Imageends_with\pwsh.exe1140
OriginalFileNameeqPowerShell.EXE164
CommandLinematch[1,3]+'x'-Join'')1
CommandLinematchjoin*split1
CommandLinematch( $env:ComSpec[4,*,25]-Join'')1
CommandLinematch( $PSHome[*]+$PSHOME[*]+1
CommandLinematch( $env:Public[13]+$env:Public[5]+'x')1
OriginalFileNameeqpwsh.dll172
ObjectNameends_with.ZZZ1
ObjectNameends_with.AAA1
DescriptioneqDefenderCheck1
Imageends_with\DefenderCheck.exe1
CommandLinematchLegalCopyright1
Imageends_with\rcedit-x86.exe1
CommandLinematchProductName1
DescriptioneqEdit resources of exe1
CommandLinematchOriginalFileName1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 4 rules

Splunk 2 rules