T1036: Masquerading
| View on MITRE ATT&CK | T1036 |
|---|---|
| Tactic(s) | Defense Evasion |
| Associated CAPEC Patterns | Create files with the same name as files protected with a higher classification (CAPEC-177) |
Data from MITRE ATT&CK®:
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.(Citation: LOLBAS Main Site) Masquerading may also include the use of Proxy or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
GhostSec’s joint ransomware operation and evolution of their arsenal
This Threat Spotlight from Cisco Talos describes the evolution of GhostSec's ransomware operations including their work with the Stormous ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
Flax Typhoon using legitimate software to quietly access Taiwanese organizations
This blog post by Microsoft Threat Intelligence outlines the Flax Typhoon intrusion set and TTPs demonstrated by the group. It describes the actor ...
ANALYSIS OF THE APT31 INDICTMENT
Blog post providing analysis of a March 2024 US Department of Justice indictment of 7 hackers associated with APT31. The post details attribution ...
From OneNote to RansomNote: An Ice Cold Intrusion
This case report from The DFIR Report describes an intrusion which started with a malicious OneNote attachment. Opening the OneNote file led to ...
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
This Cybersecurity Advisory by CISA with US and international partners outlines activity which they link to APT29 (also known as The Dukes, Cozy ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Restrict File and Directory Permissions
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.Execution Prevention
Block execution of code on a system through application control, and/or script blocking.User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.Antivirus/Antimalware
Use signatures or heuristics to detect malicious software.Code Signing
Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.How to detect this technique
MITRE ATT&CK Data Components
Process Metadata (Process)
Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.File Metadata (File)
Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.Image Metadata (Image)
Contextual data about a virtual machine image such as name, resource group, state, or typeScheduled Job Modification (Scheduled Job)
Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs)Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Service Creation (Service)
Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)File Modification (File)
Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)Scheduled Job Metadata (Scheduled Job)
Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.OS API Execution (Process)
Operating system function/method calls executed by a processCommand Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Service Metadata (Service)
Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Sigma Detections for this Technique
Suspicious Calculator Usage
DumpMinitool Execution
Potential Homoglyph Attack Using Lookalike Characters in Filename
HackTool - XORDump Execution
System Control Panel Item Loaded From Uncommon Location
Renamed Plink Execution
CreateDump Process Dump
System File Execution Location Anomaly
Interactive Bash Suspicious Children
Potential Homoglyph Attack Using Lookalike Characters
Potential SysInternals ProcDump Evasion
PUA - Potential PE Metadata Tamper Using Rcedit
Potential Fake Instance Of Hxtsr.EXE Executed
Suspicious Process Start Locations
New Process Created Via Taskmgr.EXE
Forfiles.EXE Child Process Masquerading
Suspicious Windows Update Agent Empty Cmdline
Suspicious DumpMinitool Execution
Suspicious CodePage Switch Via CHCP
New or Renamed User Account with '$' Character
Suspicious Process Parents
Execution from Suspicious Folder
Password Protected ZIP File Opened (Suspicious Filenames)
Suspicious Child Process Of Wermgr.EXE
Sdiagnhost Calling Suspicious Child Process
Renamed CreateDump Utility Execution
Process Memory Dump Via Comsvcs.DLL
Procdump Execution
Findstr Launching .lnk File
Explorer Process Tree Break
Taskmgr as LOCAL_SYSTEM
Potential LSASS Process Dump Via Procdump
CodePage Modification Via MODE.COM To Russian Language
Renamed ZOHO Dctask64 Execution
Windows Binaries Write Suspicious Extensions
Suspicious MSDT Parent Process
Potentially Suspicious Execution From Tmp Folder
Potential ReflectDebugger Content Execution Via WerFault.EXE
Potential Command Line Path Traversal Evasion Attempt
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.