1. Home
  2. Detection Strategies
  3. Detection Strategy for Indicator Removal from Tools - Post-AV Evasion Modification

Detection Strategy for Indicator Removal from Tools - Post-AV Evasion Modification

Technique Detected:  Indicator Removal from Tools | T1027.005

ID: DET0189
Domains: Enterprise
Analytics: AN0540, AN0541, AN0542
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0540

Detection of known tools or malware flagged by antivirus, followed by a near-term drop of a similar binary with modified signature and resumed activity (execution, C2, or persistence).

Log Sources
Data Component Name Channel
Application Log Content (DC0038) WinEventLog:Application EventCode=1000-1026
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Mutable Elements
Field Description
AVAlertMessage Vendor-specific signature string or detection message that can be correlated to threat intel context.
TimeWindow The time between AV alert and similar file/process activity (e.g., 5–30 minutes)
FilenameSimilarityThreshold String or hash similarity thresholds between original and modified binary.

AN0541

Detection of anti-malware quarantining or flagging a tool, followed by a new binary written to disk with a similar function or name and a resumed process chain.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Process Modification (DC0020) auditd:SYSCALL open, rename
File Metadata (DC0059) linux:osquery file_events
Application Log Content (DC0038) EDR:detection ThreatDetected, QuarantineLog
Mutable Elements
Field Description
PathWatchlist Tunable list of directories often abused for dropped binaries (e.g., /tmp, ~/.cache, /opt/soft/).
ProcessAncestryDepth Limit how far up the tree to trace tool modification behavior for detection.

AN0542

Detection of XProtect or AV quarantining a known tool, followed by modification (file size, hash, string) and subsequent re-execution by the same or related user.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) macos:unifiedlog quarantine or AV-related subsystem
File Metadata (DC0059) macos:osquery file_events
Mutable Elements
Field Description
BinaryChangeThreshold File hash delta or binary string diff score to tolerate renamed/mutated variants.
UserContext User or group expected to use dev tools; reduce false positives from legitimate repacking.