Keypoints
- Adversaries remove or change file indicators to bypass signature-based defenses and delay detection.
- Modified tools can evade antivirus, IDS signatures, and static file scanning on endpoints and gateways.
- Detection relies on behavior and telemetry correlation rather than simple signature matches.
- Monitor application logs, EDR telemetry, and network IDS for anomalies following initial detections.
- Use sandboxing, hash-independent indicators, and YARA rules to detect modified variants.
Description:
- Like a shoplifter swapping price tags to avoid being caught, attackers strip or change recognizable markers from their tools so security systems no longer flag them.
- Adversaries edit or rebuild tools to remove known indicators (hashes, signatures, identifiable strings). This lets them reuse tools that previously triggered defenses, enabling continued access, persistence, or further stages of an intrusion while reducing detection likelihood.
Detection:
- Correlate initial antivirus/IDS alerts with subsequent unusual activity using EDR and network telemetry to identify possible indicator removal and reuse.
- Monitor application logs and execution details (process trees, command-line arguments, parent-child relationships) for unexpected or recurring malicious behavior despite no file-based detections.
- Use behavioral detection in sandboxes and dynamic analysis to identify modified tools that no longer match static signatures.
- Implement file integrity monitoring and compare binaries against known-good baselines to spot subtle modifications.
- Watch for spikes in build or compile activities on hosts, and for tools that perform self-modifying actions or unpacking at runtime.
- Leverage threat intelligence and YARA rules focused on techniques and code patterns rather than hashes to catch variants.
- Expect false positives from benign tools that change frequently; tune rules using allowlists and context, and validate alerts with process and network context before escalation.
Tactics:
Defense Evasion
Platforms:
Linux, Windows, macOS
Data Sources:
Application Log: Application Log Content
Relationship Citations:
(Citation: Cobalt Strike Manual 4.3 November 2020),(Citation: ESET InvisiMole June 2020),(Citation: Leonardo Turla Penquin May 2020),(Citation: Crowdstrike Qakbot October 2020),(Citation: FireEye TEMP.Veles 2018),(Citation: Trend Micro Waterbear December 2019),(Citation: Palo Alto OilRig April 2017),(Citation: CrowdStrike SUNSPOT Implant January 2021),(Citation: ESET Gazer Aug 2017),(Citation: Cybereason Soft Cell June 2019),(Citation: cobaltstrike manual),(Citation: Talos GravityRAT),(Citation: PowerSploit Documentation),(Citation: APT3 Adversary Emulation Plan),(Citation: Symantec Black Vine),(Citation: FoxIT Wocao December 2019),(Citation: GitHub PowerSploit May 2012),(Citation: TrendMicro Patchwork Dec 2017),(Citation: Trend Micro Daserf Nov 2017),(Citation: Cyberint Qakbot May 2021),(Citation: Unit42 OilRig Nov 2018),