Obfuscated Files or Information: Indicator Removal from Tools

Other sub-techniques of Obfuscated Files or Information (17)

ID	Name
ATAGS-T1104.001	Binary Padding
ATAGS-T1104.002	Command Obfuscation
ATAGS-T1104.003	Compile After Delivery
ATAGS-T1104.004	Compression
ATAGS-T1104.005	Dynamic API Resolution
ATAGS-T1104.006	Embedded Payloads
ATAGS-T1104.007	Encrypted/Encoded File
ATAGS-T1104.008	Fileless Storage
ATAGS-T1104.009	HTML Smuggling
ATAGS-T1104.010	Indicator Removal from Tools
ATAGS-T1104.011	Junk Code Insertion
ATAGS-T1104.012	LNK Icon Smuggling
ATAGS-T1104.013	Polymorphic Code
ATAGS-T1104.014	Software Packing
ATAGS-T1104.015	Steganography
ATAGS-T1104.016	Stripped Payloads
ATAGS-T1104.017	SVG Smuggling

Threat Actors may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.

ID: ATAGS-T1104.010

Sub-technique of: ATAGS-T1104

ⓘ

Tactic: Defense Evasion

ⓘ

Targeted Components: Software

ⓘ

Responsibility: Provider

Created: 18 April 2026

Last Modified: 18 April 2026

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.