T1027.005: T1027.005

Search IOCs, vulnerabilities, APT…

216.73.216.40

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1027.005
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Indicator Removal from Tools

Platforms

windows macos linux

Description

Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems. A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

mitre-attack (T1027.005)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (15)

UNC3886 uses

The MITRE Corporation Confidence 100

[UNC3886](https://attack.mitre.org/groups/G1048) is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Silver Fox uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-CRI-1014 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SAMBA SPIDER uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA577 uses

The MITRE Corporation Confidence 100

[TA577](https://attack.mitre.org/groups/G1037) is an initial access broker (IAB) that has distributed [QakBot](https://attack.mitre.org/software/S0650) and [Pikabot](https://attack.mitre.org/software/S1145), and was among the first observed groups distributing [Latrodectus](https://attack.mitre.org/software/S1160) in 2023.(Citation: Latrodectus APR 2024)

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT3 uses Gothic PandaPirpi

The MITRE Corporation Confidence 100

[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Raspberry Robin uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ZeroTrace Team uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Patchwork uses Hangover GroupChinastrats

The MITRE Corporation Confidence 100

[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be…

First seen 01/01/1970 · Last seen 16/11/5138 ·
GALLIUM uses Granite Typhoon

The MITRE Corporation Confidence 100

[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT41 uses Wicked PandaBrass Typhoon

The MITRE Corporation Confidence 100

[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Deep Panda uses Shell CrewWebMasters

The MITRE Corporation Confidence 100

[Deep Panda](https://attack.mitre.org/groups/G0009) is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. (Citation: Alperovitch 2014) The intrusion into healthcare company Anthem…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

1–12 of 15

DemoKiller uses

Family
Cobalt Strike - S0154 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Matanbuchus uses

Family
Cobalt Strike uses

Family
DarkGate uses

Family
Waterbear uses
POISONPLUG.SHADOW uses

Family
ABYSSWORKER uses

Family
Mispadu uses

Family
Bumblebee - S1039 uses

Family
AsyncRAT uses

Family
PicassoLoader uses

Family

← Previous

Page / 6

1–12 of 61

Error 524 Decoy: Unmasking a Global Smishing Operation … related

AlienVault Confidence 100 10 MITREs 7 IOCs 7 Observables
Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability related

AlienVault Confidence 100 1 CVE 20 MITREs 3 Malwares 1 IOC 1 Observable
EDR killers explained: Beyond the drivers related

14 MITREs 16 Malwares 15 Observables
Unmasking the Shadow of PoisonPlug's Obfuscator related

20 MITREs 2 Malwares 2 Observables 1 APT
Raspberry Robin Analysis related

2 CVEs 20 MITREs 2 Malwares 126 Observables
Quartet of Trouble: XWorm, AsyncRAT, VenomRAT, and... related

18 MITREs 4 Malwares 7 Observables
Exploiting CVE-2024-21412: A Stealer Campaign Unleashed related

1 CVE 16 MITREs 2 Malwares 27 Observables
Exploring the Infection Chain: ScreenConnect's Link to AsyncRAT … related

19 MITREs 1 Malware 77 Observables
Polyfill supply chain attack hits 100K+ sites related

7 MITREs 1 Malware 7 Observables
Warning Against Phishing Emails Prompting Execution of Commands … related

13 MITREs 1 Malware 15 Observables
Excel File Deploys Cobalt Strike at Ukraine related

13 MITREs 2 Malwares 10 Observables
Disrupting FlyingYeti's campaign targeting Ukraine related

1 CVE 10 MITREs 1 Malware 8 Observables 1 APT

← Previous

Page / 2

1–12 of 14

Vulnerabilities (CVE) (6)

CVE-2023-38831 KEV targets

7.8 High

RARLAB WinRAR contains an unspecified vulnerability that allows an attacker to execute code when a user attempts to view a benign file …

Attack vector: Local
Published: 24/08/2023
Modified: 27/05/2026

CVE-2024-21412 KEV targets

8.1 High

Microsoft Windows Internet Shortcut Files contains an unspecified vulnerability that allows for a security feature bypass.

Attack vector: Network
Published: 13/02/2024
Modified: 27/05/2026

CVE-2026-5426 targets

9.1 Critical

Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and …

Attack vector: Network
Complexity: Low
EPSS: 0.0005 (P15.4%)
Published: 16/04/2026
Modified: 26/05/2026

CWE-321 Awaiting Analysis

CVE-2021-31969 targets

CVE-2024-26229 targets

CVE-2024-38196 targets

7.8 High

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Attack vector: LOCAL
Published: 13/08/2024
Modified: 21/12/2025

Received

Attack patterns (MITRE) (1)

T1027 subtechnique-of

Obfuscated Files or Information MITRE

Tool (1)

PowerSploit uses

The MITRE Corporation Confidence 100

[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code…

Campaign (2)

Triton Safety Instrumented System Attack uses
Operation Wocao uses

Contact About Legal notice Privacy policy Terms of use