Technique on mitre.org

T1036.005: Match Legitimate Name or Location

Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.

Adversaries may also use the same icon of the file they are trying to mimic.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_defense_evasion: PT-CR-641: Abnormal_Directory_For_Process: An executable is run from a suspicious directory mitre_attck_defense_evasion: PT-CR-1209: Hijack_Load_Path_Library: Loading of libraries whose path is disguised as a legitimate path and contains "/windows/system32/" is detected mitre_attck_defense_evasion: PT-CR-930: AMSI_Bypass_Via_Powershell: AMSI bypass method use is detected mitre_attck_command_and_control: PT-CR-2802: Subrule_SlothfulMedia_Execute_Request: DNS request to resource used to communicate with the command server of the Trojan from the SlothfulMedia family mitre_attck_command_and_control: PT-CR-2798: SlothfulMedia_Trojan: Targeted attack with the Trojan of the SlothfulMedia family. These events indicate that the system is being used for remote administration. Attackers can use this software to perform lateral movement and download sensitive data. unix_mitre_attck_defense_evasion: PT-CR-1072: Unix_Run_Process_From_Home_Directory: A process was started from user's home directory mitre_attck_execution: PT-CR-1908: Execute_Over_WER_Service: Attackers can exploit a WER service vulnerability that allows spoofing an executable file and running an attackers' file with system privileges

Detection

IDDS0007Data source and componentImage: Image MetadataDescription

In containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names. Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users.

IDDS0022Data source and componentFile: File MetadataDescription

Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.

IDDS0009Data source and componentProcess: Process MetadataDescription

Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly executed processes that may match or approximate the name or location of legitimate files or resources when naming/placing them. Looks for mismatches between process names and their image paths.Malware authors often use this technique to hide malicious executables behind legitimate Windows executable names (e.g. lsass.exe, svchost.exe, etc). There are several sub-techniques, but this analytic focuses on Match Legitimate Name or Location only.

Note: With process monitoring, hunt for processes matching these criteria:

  • process name is svchost.exe, smss.exe, wininit.exe, taskhost.exe, etc.
  • process path is not C:\Windows\System32\ or C:\Windows\SysWow64\

Examples (true positive): C:\Users\administrator\svchost.exe

To make sure the rule doesn’t miss cases where the executable would be started from a sub-folder of these locations, the entire path is checked for the process path. The below example should be considered as suspicious: C:\Windows\System32\srv\svchost.exe

Analytic 1 - Common Windows Process Masquerading

(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="*WinEventLog:Security" EventCode="4688") AND ( (Image=svchost.exe AND (image_path!="C:\Windows\System32\svchost.exe" OR process_path!="C:\Windows\SysWow64\svchost.exe")) OR (Image="*smss.exe" AND image_path!="C:\Windows\System32\smss.exe") OR (Image="wininit.exe" AND image_path!="C:\Windows\System32\wininit.exe") OR (Image="taskhost.exe" AND image_path!="C:\Windows\System32\taskhost.exe") OR (Image="lasass.exe" AND image_path!="C:\Windows\System32\lsass.exe") OR (Image="winlogon.exe" AND image_path!="C:\Windows\System32\winlogon.exe") OR (Image="csrss.exe" AND image_path!="C:\Windows\System32\csrss.exe") OR (Image="services.exe" AND image_path!="C:\Windows\System32\services.exe") OR (Image="lsm.exe" AND image_path!="C:\Windows\System32\lsm.exe") OR (Image="explorer.exe" AND image_path!="C:\Windows\explorer.exe")

Mitigation

IDM1022NameRestrict File and Directory PermissionsDescription

Use file system access controls to protect folders such as C:\Windows\System32.

IDM1038NameExecution PreventionDescription

Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed.

IDM1045NameCode SigningDescription

Require signed binaries and images.