Register to stream ATT&CKcon 2.0 October 29-30

Indicator Removal from Tools

If a malicious tool is detected and quarantined or otherwise curtailed, an adversary may be able to determine why the malicious tool was detected (the indicator), modify the tool by removing the indicator, and use the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.

A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may use Software Packing or otherwise modify the file so it has a different signature, and then re-use the malware.

ID: T1066
Tactic: Defense Evasion
Platform: Linux, macOS, Windows
Data Sources: Process use of network, Process monitoring, Process command-line parameters, Anti-virus, Binary file metadata
Defense Bypassed: Log analysis, Host intrusion prevention systems, Anti-virus
Version: 1.0

Procedure Examples

Name Description
APT3 APT3 has been known to remove indicators of compromise from tools. [11]
Cobalt Strike Cobalt Strike includes a capability to modify the "beacon" payload to eliminate known signatures or unpacking methods. [1]
Daserf Analysis of Daserf has shown that it regularly undergoes technical improvements to evade anti-virus detection. [5]
Deep Panda Deep Panda has updated and modified its malware, resulting in different hash values that evade detection. [6]
GravityRAT The author of GravityRAT submitted samples to VirusTotal for testing, showing that the author modified the code to try to hide the DDE object in a different part of the document. [4]
OilRig OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion. [8] [9]
Patchwork Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes. [7]
PowerSploit PowerSploit's Find-AVSignature AntivirusBypass module can be used to locate single byte anti-virus signatures. [2] [3]
Soft Cell Soft Cell ensured each payload had a unique hash, including by using different types of packers. [13]
TEMP.Veles TEMP.Veles has modified files based on the open-source project cryptcat in an apparent attempt to decrease AV detection rates. [12]
Turla Based on comparison of Gazer versions, Turla made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe. [10]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.