In the cybersecurity landscape, attackers constantly devise methods to bypass security measures.
One sophisticated technique is T1036.005, or Masquerading: Match Legitimate Name or Location, where attackers mimic the names or locations of legitimate files to evade detection.
This article delves into how this tactic works, providing insights on detection and mitigation to help defenders enhance their security strategies.
Tactic: Defense Evasion
Technique: Masquerading: Match Legitimate Name or Location (T1036.005) Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of certain operating system processes.
User
This rule detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts.
Event ID | Event Name | Log Provider | ATT&CK Data Source |
---|---|---|---|
– | DeviceProcessEvents | MDE | Process monitoring |
FP Rate: Low
Source: MDE
Description: See above
let ProcessRelations=datatable(ImageFile:string,ExpectedParent:dynamic) [
"smss.exe", dynamic(["smss.exe", "ntoskrnl.exe", ""]),
"crmss.exe", dynamic(["smss.exe"]),
"wininit.exe", dynamic(["smss.exe"]),
"winlogon.exe", dynamic(["smss.exe"]),
"services.exe", dynamic(["wininit.exe"]),
"lsaiso.exe", dynamic(["wininit.exe"]),
"lsass.exe", dynamic(["wininit.exe"]),
"spoolsv.exe", dynamic(["services.exe"]),
"dllhost.exe", dynamic(["svchost.exe"]),
"lsm.exe", dynamic(["wininit.exe"]),
"svchost.exe", dynamic(["services.exe", "msmpeng.exe"]),
"runtimebroker.exe", dynamic(["svchost.exe"]),
"taskhostw.exe", dynamic(["svchost.exe"]),
"userinit.exe", dynamic(["winlogon.exe"])
// Explorer can have a lot of parents in some environments
//,"explorer.exe", dynamic(["userinit.exe"])
];
DeviceProcessEvents
| extend ImageFile = tostring(tolower(parse_path(tostring(FolderPath)).Filename))
| extend ParentFile = tostring(tolower(parse_path(tostring(InitiatingProcessFolderPath)).Filename))
| project Timestamp, ImageFile, ParentFile
| lookup kind=inner ProcessRelations on ImageFile
| where not(set_has_element(ExpectedParent,ParentFile))
| summarize count() by ImageFile, ParentFile
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…