T1036.004: Masquerade Task or Service

Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description. Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.

Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_execution: PT-CR-344: Scheduled_Task_Manipulation: A user created, updated, or deleted a scheduled task mitre_attck_execution: PT-CR-342: Schtasks_Commandline: A scheduled task was managed using the command line or PowerShell mitre_attck_cred_access: PT-CR-1363: Masky_Tool_Usage: The use of the Masky tool is detected. Masky tool is designed to obtain NT hashes and TGT of users working on attacked hosts in order to request certificates on their behalf.

Detection

ID	DS0019	Data source and component	Service: Service Metadata	Description	Monitor for changes made to services for unexpected modifications to names, descriptions, and/or start types

ID	DS0003	Data source and component	Scheduled Job: Scheduled Job Modification	Description	Monitor for changes made to scheduled jobs for unexpected modifications to execution launch

ID	DS0019	Data source and component	Service: Service Creation	Description	Monitor for newly constructed services/daemons. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may attempt to manipulate the name of a task or service to make it appear legitimate or benign.

ID	DS0003	Data source and component	Scheduled Job: Scheduled Job Metadata	Description	Monitor for contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

ID	Data source and component	Description
DS0019	Service: Service Metadata	Monitor for changes made to services for unexpected modifications to names, descriptions, and/or start types
DS0003	Scheduled Job: Scheduled Job Modification	Monitor for changes made to scheduled jobs for unexpected modifications to execution launch
DS0019	Service: Service Creation	Monitor for newly constructed services/daemons. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
DS0017	Command: Command Execution	Monitor executed commands and arguments that may attempt to manipulate the name of a task or service to make it appear legitimate or benign.
DS0003	Scheduled Job: Scheduled Job Metadata	Monitor for contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.