Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.One variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.
A third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named
March 25 \u202Excod.scrwill display asMarch 25 rcs.docx. A JavaScript file namedphoto_high_re\u202Egnp.jswill be displayed asphoto_high_resj.png. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.Adversaries may modify a binary's metadata, including such fields as icons, version, name of the product, description, and copyright, to better blend in with the environment and increase chances of deceiving a security analyst or product.(Citation: Threatexpress MetaTwin 2017)
In another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)
An example of abuse of trusted locations in Windows would be the
C:\Windows\System32directory. Examples of trusted binary names that can be given to malicious binares include "explorer.exe" and "svchost.exe".Another variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)
An example of abuse of trusted locations in Linux would be the
/bindirectory. Examples of trusted binary names that can be given to malicious binaries include "rsyncd" and "dbus-inotifier". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)
-
Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe
-
Atomic Test #4 - Masquerading - wscript.exe running as svchost.exe
-
Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe
-
Atomic Test #6 - Masquerading - non-windows exe running as windows exe
-
Atomic Test #7 - Masquerading - windows exe running as different windows exe
Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
Supported Platforms: Windows
cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
cmd.exe /c %SystemRoot%\Temp\lsass.exe
del /Q /F %SystemRoot%\Temp\lsass.exe
Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.
Supported Platforms: Linux
cp /bin/sh /tmp/crond
/tmp/crond
Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe.
Supported Platforms: Windows
copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y
cmd.exe /c %APPDATA%\notepad.exe /B
del /Q /F %APPDATA%\notepad.exe
Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe.
Supported Platforms: Windows
copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
cmd.exe /c %APPDATA%\svchost.exe /B
del /Q /F %APPDATA%\svchost.exe
Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe.
Supported Platforms: Windows
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y
cmd.exe /K %APPDATA%\taskhostw.exe
del /Q /F %APPDATA%\taskhostw.exe
Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| inputfile | path of file to copy | path | $PathToAtomicsFolder\T1036\bin\t1036.exe |
| outputfile | path of file to execute | path | ($env:TEMP + "\svchost.exe") |
copy #{inputfile} #{outputfile}
$myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id
Stop-Process -ID $myT1036
Remove-Item #{outputfile} -Force -ErrorAction Ignore
Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| inputfile | path of file to copy | path | $env:ComSpec |
| outputfile | path of file to execute | path | ($env:TEMP + "\svchost.exe") |
copy #{inputfile} #{outputfile}
$myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id
Stop-Process -ID $myT1036
Remove-Item #{outputfile} -Force -ErrorAction Ignore
Detect LSM running from an incorrect directory and an incorrect service account This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\ folder.
Supported Platforms: Windows
copy C:\Windows\System32\cmd.exe C:\lsm.exe
C:\lsm.exe /c echo T1036 > C:\T1036.txt
del C:\T1036.txt
del C:\lsm.exe