MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1036: Masquerading

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_defense_evasion: PT-CR-1477: Run_Executable_File_without_Meta: A user ran a process executable with missing metainfo
mitre_attck_defense_evasion: PT-CR-647: Run_Masquerading_Executable_File: A user started a process executable without an extension

Detection

IDDS0009Data source and componentProcess: Process MetadataDescription

Monitor for file names that are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled.

IDDS0019Data source and componentService: Service MetadataDescription

Monitor for contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.

IDDS0007Data source and componentImage: Image MetadataDescription

Collecting disk and resource filenames for binaries, comparing that the InternalName, OriginalFilename, and/or ProductName match what is expected, could provide useful leads but may not always be indicative of malicious activity.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly executed processes that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. The RECYCLER and SystemVolumeInformation directories will be present on every drive. Replace %systemroot% and %windir% with the actual paths as configured by the endpoints.

Analytic 1 - Suspicious Run Locations

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND ( Image=":\RECYCLER*" OR Image=":\SystemVolumeInformation*" OR Image="%windir%\Tasks*" OR Image="%systemroot%\debug*")

IDDS0009Data source and componentProcess: OS API ExecutionDescription

Monitor for API calls such as fork() which can be abused to masquerade or manipulate process metadata.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.

Note: For Windows, Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential Masquerading.

IDDS0003Data source and componentScheduled Job: Scheduled Job MetadataDescription

Monitor for contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

On Windows, Event ID 4698 (Security Log - A scheduled task was created) can be used to alert on the creation of scheduled tasks and provides metadata including the task name and task content (as XML).

On Linux, auditing frameworks such as the Linux Auditing System (auditd) can be used to alert on invocations of cron, and provides the metadata included when executing the command.

IDDS0003Data source and componentScheduled Job: Scheduled Job ModificationDescription

Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.

IDDS0022Data source and componentFile: File ModificationDescription

Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Windows Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on attempted file accesses that may be associate with Masquerading.

IDDS0019Data source and componentService: Service CreationDescription

Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.

IDDS0022Data source and componentFile: File MetadataDescription

Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE”.

Check and ensure that file headers/signature and extensions match using magic bytes detection and/or file signature validation. In Linux, the file command may be used to check the file signature.

Mitigation

IDM1045NameCode SigningDescription

Require signed binaries.

IDM1017NameUser TrainingDescription

Train users not to open email attachments or click unknown links (URLs). Such training fosters more secure habits within your organization and will limit many of the risks.

IDM1040NameBehavior Prevention on EndpointDescription

Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of potentially malicious files (such as those with mismatching file signatures).

IDM1022NameRestrict File and Directory PermissionsDescription

Use file system access controls to protect folders such as C:\Windows\System32.

IDM1049NameAntivirus/AntimalwareDescription

Anti-virus can be used to automatically quarantine suspicious files.

IDM1038NameExecution PreventionDescription

Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed.