Indicator Removal from Tools - veramine/Detections GitHub Wiki
If a malicious tool is detected and quarantined or otherwise curtailed, an adversary may be able to determine why the malicious tool was detected (the indicator), modify the tool by removing the indicator, and use the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.
A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may use Software Packing or otherwise modify the file so it has a different signature, and then re-use the malware. You can read more about this attacker technique at https://attack.mitre.org/wiki/Technique/T1066.
One of the strengths of the Veramine platform is its ability to hunt for related activity based on an initial detection of attacker activity. In just a few clicks, the Veramine portal can display all activity during a certain time period known to be a period of attacker activity, all processes launched by a user known to be compromised by an attacker, all binaries matching certain metadata, or all processes having whatever characteristics the attacker had previously used. The Veramine platform becomes even more useful if a defender takes the additional time to perform an in-depth investigation into the initial artifact detected as attacker activity and can find an attack invariant less likely to change from one modification to another by the attacker. Defenders that discover an attacker invariant can craft a Yara signature to match that characteristic and we plan to soon release a Veramine platform feature to perform a search through every process's memory to find any patterns matching an arbitrary yara expression. In the future, the Veramine platform will also be able to quickly and easily perform a Yara search across any binary that has been loaded by any process on any host where the Veramine sensor is installed. These searches are defined and executed in an ad-hoc manner by the defender and limited only by the defender's creativity and by the bounds of the Yara language definition. Defenders will not know which searches are being performed and when they are being performed.
The screenshot below shows the current "Process Search" interface to match against the process metadata stored server-side in ElasticSearch.
