{'created': '2017-05-31T21:30:54.176Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'If a malicious tool is detected and quarantined or otherwise '
                'curtailed, an adversary may be able to determine why the '
                'malicious tool was detected (the indicator), modify the tool '
                'by removing the indicator, and use the updated version that '
                "is no longer detected by the target's defensive systems or "
                'subsequent targets that may use similar systems.\n'
                '\n'
                'A good example of this is when malware is detected with a '
                'file signature and quarantined by anti-virus software. An '
                'adversary who can determine that the malware was quarantined '
                'because of its file signature may use [Software '
                'Packing](https://attack.mitre.org/techniques/T1045) or '
                'otherwise modify the file so it has a different signature, '
                'and then re-use the malware.',
 'external_references': [{'external_id': 'T1066',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1066'}],
 'id': 'attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'}],
 'modified': '2025-10-24T17:48:19.377Z',
 'name': 'Indicator Removal from Tools',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
 'x_mitre_version': '1.1'}