T1036.004: Masquerade Task or Service

Data from MITRE ATT&CK®:

Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.

Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Service Creation (Service)

Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)

Service Metadata (Service)

Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

Scheduled Job Metadata (Scheduled Job)

Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

Scheduled Job Modification (Scheduled Job)

Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs)

linux rename /proc/pid/comm using prctl

linux

Creating W32Time similar named service using sc

windows

Creating W32Time similar named service using schtasks

windows