T1036: Masquerading
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_defense_evasion: PT-CR-1477: Run_Executable_File_without_Meta: A user ran a process executable with missing metainfo
mitre_attck_defense_evasion: PT-CR-647: Run_Masquerading_Executable_File: A user started a process executable without an extension
Detection
ID | DS0009 | Data source and component | Process: Process Metadata | Description | Monitor for file names that are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. |
---|
ID | DS0019 | Data source and component | Service: Service Metadata | Description | Monitor for contextual data about a service/daemon, which may include information such as name, service executable, start type, etc. |
---|
ID | DS0007 | Data source and component | Image: Image Metadata | Description | Collecting disk and resource filenames for binaries, comparing that the InternalName, OriginalFilename, and/or ProductName match what is expected, could provide useful leads but may not always be indicative of malicious activity. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly executed processes that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. The RECYCLER and SystemVolumeInformation directories will be present on every drive. Replace %systemroot% and %windir% with the actual paths as configured by the endpoints. Analytic 1 - Suspicious Run Locations
|
---|
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls such as |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Note: For Windows, Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential Masquerading. |
---|
ID | DS0003 | Data source and component | Scheduled Job: Scheduled Job Metadata | Description | Monitor for contextual data about a scheduled job, which may include information such as name, timing, command(s), etc. On Windows, Event ID 4698 (Security Log - A scheduled task was created) can be used to alert on the creation of scheduled tasks and provides metadata including the task name and task content (as XML). On Linux, auditing frameworks such as the Linux Auditing System (auditd) can be used to alert on invocations of cron, and provides the metadata included when executing the command. |
---|
ID | DS0003 | Data source and component | Scheduled Job: Scheduled Job Modification | Description | Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. |
---|
ID | DS0022 | Data source and component | File: File Modification | Description | Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Windows Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on attempted file accesses that may be associate with Masquerading. |
---|
ID | DS0019 | Data source and component | Service: Service Creation | Description | Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. |
---|
ID | DS0022 | Data source and component | File: File Metadata | Description | Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE”. Check and ensure that file headers/signature and extensions match using magic bytes detection and/or file signature validation. In Linux, the |
---|
Mitigation
ID | M1045 | Name | Code Signing | Description | Require signed binaries. |
---|
ID | M1017 | Name | User Training | Description | Train users not to open email attachments or click unknown links (URLs). Such training fosters more secure habits within your organization and will limit many of the risks. |
---|
ID | M1040 | Name | Behavior Prevention on Endpoint | Description | Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of potentially malicious files (such as those with mismatching file signatures). |
---|
ID | M1022 | Name | Restrict File and Directory Permissions | Description | Use file system access controls to protect folders such as C:\Windows\System32. |
---|
ID | M1049 | Name | Antivirus/Antimalware | Description | Anti-virus can be used to automatically quarantine suspicious files. |
---|
ID | M1038 | Name | Execution Prevention | Description | Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed. |
---|