T1036.005: Match Legitimate Name or Location

Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.

Adversaries may also use the same icon of the file they are trying to mimic.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_execution: PT-CR-1908: Execute_Over_WER_Service: Attackers can exploit a WER service vulnerability that allows spoofing an executable file and running an attackers' file with system privileges mitre_attck_defense_evasion: PT-CR-1209: Hijack_Load_Path_Library: Loading of libraries whose path is disguised as a legitimate path and contains "/windows/system32/" is detected mitre_attck_defense_evasion: PT-CR-930: AMSI_Bypass_Via_Powershell: AMSI bypass method use is detected mitre_attck_defense_evasion: PT-CR-641: Abnormal_Directory_For_Process: An executable is run from a suspicious directory unix_mitre_attck_defense_evasion: PT-CR-1072: Unix_Run_Process_From_Home_Directory: A process was started from user's home directory

Detection

ID	DS0022	Data source and component	File: File Metadata	Description	Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly executed processes that may match or approximate the name or location of legitimate files or resources when naming/placing them. Looks for mismatches between process names and their image paths.Malware authors often use this technique to hide malicious executables behind legitimate Windows executable names (e.g. lsass.exe, svchost.exe, etc). There are several sub-techniques, but this analytic focuses on Match Legitimate Name or Location only. Note: With process monitoring, hunt for processes matching these criteria: process name is svchost.exe, smss.exe, wininit.exe, taskhost.exe, etc. process path is not C:\Windows\System32\ or C:\Windows\SysWow64\ Examples (true positive): C:\Users\administrator\svchost.exe To make sure the rule doesn’t miss cases where the executable would be started from a sub-folder of these locations, the entire path is checked for the process path. The below example should be considered as suspicious: C:\Windows\System32\srv\svchost.exe Analytic 1 - Common Windows Process Masquerading (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND ( (Image=svchost.exe AND (image_path!="C:\Windows\System32\svchost.exe" OR process_path!="C:\Windows\SysWow64\svchost.exe")) OR (Image="*smss.exe" AND image_path!="C:\Windows\System32\smss.exe") OR (Image="wininit.exe" AND image_path!="C:\Windows\System32\wininit.exe") OR (Image="taskhost.exe" AND image_path!="C:\Windows\System32\taskhost.exe") OR (Image="lasass.exe" AND image_path!="C:\Windows\System32\lsass.exe") OR (Image="winlogon.exe" AND image_path!="C:\Windows\System32\winlogon.exe") OR (Image="csrss.exe" AND image_path!="C:\Windows\System32\csrss.exe") OR (Image="services.exe" AND image_path!="C:\Windows\System32\services.exe") OR (Image="lsm.exe" AND image_path!="C:\Windows\System32\lsm.exe") OR (Image="explorer.exe" AND image_path!="C:\Windows\explorer.exe")

ID	DS0007	Data source and component	Image: Image Metadata	Description	In containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names. Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users.

ID	DS0009	Data source and component	Process: Process Metadata	Description	Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity.

ID	Data source and component	Description
DS0022	File: File Metadata	Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.
DS0009	Process: Process Creation	Monitor for newly executed processes that may match or approximate the name or location of legitimate files or resources when naming/placing them. Looks for mismatches between process names and their image paths.Malware authors often use this technique to hide malicious executables behind legitimate Windows executable names (e.g. lsass.exe, svchost.exe, etc). There are several sub-techniques, but this analytic focuses on Match Legitimate Name or Location only. Note: With process monitoring, hunt for processes matching these criteria: process name is svchost.exe, smss.exe, wininit.exe, taskhost.exe, etc. process path is not C:\Windows\System32\ or C:\Windows\SysWow64\ Examples (true positive): C:\Users\administrator\svchost.exe To make sure the rule doesn’t miss cases where the executable would be started from a sub-folder of these locations, the entire path is checked for the process path. The below example should be considered as suspicious: C:\Windows\System32\srv\svchost.exe Analytic 1 - Common Windows Process Masquerading (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND ( (Image=svchost.exe AND (image_path!="C:\Windows\System32\svchost.exe" OR process_path!="C:\Windows\SysWow64\svchost.exe")) OR (Image="*smss.exe" AND image_path!="C:\Windows\System32\smss.exe") OR (Image="wininit.exe" AND image_path!="C:\Windows\System32\wininit.exe") OR (Image="taskhost.exe" AND image_path!="C:\Windows\System32\taskhost.exe") OR (Image="lasass.exe" AND image_path!="C:\Windows\System32\lsass.exe") OR (Image="winlogon.exe" AND image_path!="C:\Windows\System32\winlogon.exe") OR (Image="csrss.exe" AND image_path!="C:\Windows\System32\csrss.exe") OR (Image="services.exe" AND image_path!="C:\Windows\System32\services.exe") OR (Image="lsm.exe" AND image_path!="C:\Windows\System32\lsm.exe") OR (Image="explorer.exe" AND image_path!="C:\Windows\explorer.exe")
DS0007	Image: Image Metadata	In containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names. Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users.
DS0009	Process: Process Metadata	Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity.

Mitigation

ID	M1022	Name	Restrict File and Directory Permissions	Description	Use file system access controls to protect folders such as C:\Windows\System32.

ID	M1038	Name	Execution Prevention	Description	Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed.

ID	M1045	Name	Code Signing	Description	Require signed binaries and images.

ID	Name	Description
M1022	Restrict File and Directory Permissions	Use file system access controls to protect folders such as C:\Windows\System32.
M1038	Execution Prevention	Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed.
M1045	Code Signing	Require signed binaries and images.