Cyber security

T1036.005 – Masquerading : Match Legitimate Name Or Location

In the cybersecurity landscape, attackers constantly devise methods to bypass security measures.

One sophisticated technique is T1036.005, or Masquerading: Match Legitimate Name or Location, where attackers mimic the names or locations of legitimate files to evade detection.

This article delves into how this tactic works, providing insights on detection and mitigation to help defenders enhance their security strategies.

ATT&CK Tags

Tactic: Defense Evasion

Technique: Masquerading: Match Legitimate Name or Location (T1036.005) Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of certain operating system processes.

Technical Description Of The Attack

Permission Required To Execute The Technique

User

Detection Description

This rule detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts.

Utilized Data Source

Event IDEvent NameLog ProviderATT&CK Data Source
DeviceProcessEventsMDEProcess monitoring

Hunt Details

KQL

FP Rate: Low

Source: MDE

Description: See above

Query:

let ProcessRelations=datatable(ImageFile:string,ExpectedParent:dynamic) [
    "smss.exe", dynamic(["smss.exe", "ntoskrnl.exe", ""]),
    "crmss.exe", dynamic(["smss.exe"]),
    "wininit.exe", dynamic(["smss.exe"]),
    "winlogon.exe", dynamic(["smss.exe"]),
    "services.exe", dynamic(["wininit.exe"]),
    "lsaiso.exe", dynamic(["wininit.exe"]),
    "lsass.exe", dynamic(["wininit.exe"]),
    "spoolsv.exe", dynamic(["services.exe"]),
    "dllhost.exe", dynamic(["svchost.exe"]),
    "lsm.exe", dynamic(["wininit.exe"]),
    "svchost.exe", dynamic(["services.exe", "msmpeng.exe"]),
    "runtimebroker.exe", dynamic(["svchost.exe"]),
    "taskhostw.exe", dynamic(["svchost.exe"]),
    "userinit.exe", dynamic(["winlogon.exe"])
    // Explorer can have a lot of parents in some environments
    //,"explorer.exe", dynamic(["userinit.exe"])
];
DeviceProcessEvents
| extend ImageFile = tostring(tolower(parse_path(tostring(FolderPath)).Filename))
| extend ParentFile = tostring(tolower(parse_path(tostring(InitiatingProcessFolderPath)).Filename))
| project Timestamp, ImageFile, ParentFile
| lookup kind=inner ProcessRelations on ImageFile
| where not(set_has_element(ExpectedParent,ParentFile))
| summarize count() by ImageFile, ParentFile

Considerations

  • The query is somewhat heavy on resources. Use it on a limited timefrime, for instance 24 hours – 7 days.
  • Some of these parent processes launch their childs and immediately terminate, which in some cases might cause the parent field to remain empty.
  • Some of the processes like dllhost can in some cases have other parent processes which can be legitimate, do validate them
  • Be prepared to find malware and backdoors – don’t run this query on Friday and ruin your weekend.

False Positives

  • For some reason, some software installers unpack and execute windows binaries using other names. This obviously triggers this rule.

Detection Blind Spots

  • There is an obvious blind spot for processes outside of the datatable.
Varshini

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.

Recent Posts

ModTask – Task Scheduler Attack Tool

ModTask is an advanced C# tool designed for red teaming operations, focusing on manipulating scheduled…

8 hours ago

HellBunny : Advanced Shellcode Loader For EDR Evasio

HellBunny is a malleable shellcode loader written in C and Assembly utilizing direct and indirect…

8 hours ago

SharpRedirect : A Lightweight And Efficient .NET-Based TCP Redirector

SharpRedirect is a simple .NET Framework-based redirector from a specified local port to a destination…

9 hours ago

Flyphish : Mastering Cloud-Based Phishing Simulations For Security Assessments

Flyphish is an Ansible playbook allowing cyber security consultants to deploy a phishing server in…

1 day ago

DeLink : Decrypting D-Link Firmware Across Devices With A Rust-Based Library

A crypto library to decrypt various encrypted D-Link firmware images. Confirmed to work on the…

1 day ago

LLM Lies : Hallucinations Are Not Bugs, But Features As Adversarial Examples

LLMs (e.g., GPT-3.5, LLaMA, and PaLM) suffer from hallucination—fabricating non-existent facts to cheat users without…

1 day ago