ID | Name |
---|---|
T1036.001 | Invalid Code Signature |
T1036.002 | Right-to-Left Override |
T1036.003 | Rename System Utilities |
T1036.004 | Masquerade Task or Service |
T1036.005 | Match Legitimate Name or Location |
T1036.006 | Space after Filename |
T1036.007 | Double File Extension |
T1036.008 | Masquerade File Type |
T1036.009 | Break Process Trees |
Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
Adversaries may also use the same icon of the file they are trying to mimic.
ID | Name | Description |
---|---|---|
C0025 | 2016 Ukraine Electric Power Attack |
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.[1] |
G0018 | admin@338 |
admin@338 actors used the following command to rename one of their tools to a benign file name: |
S1074 | ANDROMEDA |
ANDROMEDA has been installed to |
G1007 | Aoqin Dragon |
Aoqin Dragon has used fake icons including antivirus and external drives to disguise malicious payloads.[4] |
S0622 | AppleSeed |
AppleSeed has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity.[5] |
G0006 | APT1 |
The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware.[6][7] |
G0007 | APT28 |
APT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.[8] |
G0016 | APT29 |
APT29 has renamed malicious DLLs with legitimate names to appear benign; they have also created an Azure AD certificate with a Common Name that matched the display name of the compromised service principal.[9][10] |
G0050 | APT32 |
APT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe. [11][12] |
G0087 | APT39 |
APT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.[13][14] |
G0096 | APT41 |
APT41 attempted to masquerade their files as popular anti-virus software.[15][16] |
S0475 | BackConfig |
BackConfig has hidden malicious payloads in |
G0135 | BackdoorDiplomacy |
BackdoorDiplomacy has dropped implants in folders named for legitimate software.[18] |
S0606 | Bad Rabbit |
Bad Rabbit has masqueraded as a Flash Player installer through the executable file |
S0128 | BADNEWS |
BADNEWS attempts to hide its payloads using legitimate filenames.[21] |
S0534 | Bazar |
The Bazar loader has named malicious shortcuts "adobe" and mimicked communications software.[22][23][24] |
S0268 | Bisonal |
Bisonal has renamed malicious code to |
S1070 | Black Basta |
The Black Basta dropper has mimicked an application for creating USB bootable drivers.[26] |
S0520 | BLINDINGCAN |
BLINDINGCAN has attempted to hide its payload by using legitimate file names such as "iconcache.db".[27] |
G0108 | Blue Mockingbird |
Blue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file.[28] |
G0060 | BRONZE BUTLER |
BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.[29] |
S1063 | Brute Ratel C4 |
Brute Ratel C4 has used a payload file named OneDrive.update to appear benign.[30] |
S1039 | Bumblebee |
Bumblebee has named component DLLs "RapportGP.dll" to match those used by the security company Trusteer.[31] |
S0482 | Bundlore |
Bundlore has disguised a malicious .app file as a Flash Player update.[32] |
C0017 | C0017 |
During C0017, APT41 used file names beginning with USERS, SYSUSER, and SYSLOG for DEADEYE, and changed KEYPLUG file extensions from .vmp to .upx likely to avoid hunting detections.[33] |
C0018 | C0018 |
For C0018, the threat actors renamed a Sliver payload to |
S0274 | Calisto |
Calisto's installation file is an unsigned DMG image under the guise of Intego’s security solution for mac.[35] |
G0008 | Carbanak |
Carbanak has named malware "svchost.exe," which is the name of the Windows shared service host program.[36] |
S0484 | Carberp |
Carberp has masqueraded as Windows system file names, as well as "chkntfs.exe" and "syscron.exe".[37][38] |
S0631 | Chaes |
Chaes has used an unsigned, crafted DLL module named |
S0144 | ChChes |
ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).[40] |
G0114 | Chimera |
Chimera has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe, RecordedTV.ms, teredo.tmp, update.exe, and msadcs1.exe.[41] |
S1041 | Chinoxy |
Chinoxy has used the name |
S0625 | Cuba |
Cuba has been disguised as legitimate 360 Total Security Antivirus and OpenVPN programs.[43] |
S0687 | Cyclops Blink |
Cyclops Blink can rename its running process to |
S1014 | DanBot |
DanBot files have been named |
S0334 | DarkComet |
DarkComet has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as a legitimate file.[46] |
G0012 | Darkhotel |
Darkhotel has used malware that is disguised as a Secure Shell (SSH) tool.[47] |
S0187 | Daserf |
Daserf uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.[48] |
S0600 | Doki | |
S0694 | DRATzarus |
DRATzarus has been named |
S0567 | Dtrack |
One of Dtrack can hide in replicas of legitimate programs like OllyDbg, 7-Zip, and FileZilla.[51] |
G1006 | Earth Lusca |
Earth Lusca used the command |
S0605 | EKANS |
EKANS has been disguised as |
S0081 | Elise |
If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.[54] |
S0171 | Felismus |
Felismus has masqueraded as legitimate Adobe Content Management System files.[55] |
G0137 | Ferocious Kitten |
Ferocious Kitten has named malicious files |
G1016 | FIN13 |
FIN13 has masqueraded WAR files to look like legitimate packages such as, wsexample.war, wsexamples.com, examples.war, and exampl3s.war.[57] |
G0046 | FIN7 |
FIN7 has attempted to run Darkside ransomware with the filename sleep.exe.[58] |
S0182 | FinFisher |
FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.[59][60] |
S0661 | FoggyWeb |
FoggyWeb can be disguised as a Visual Studio file such as |
G0117 | Fox Kitten |
Fox Kitten has named binaries and configuration files svhost and dllhost respectively to appear legitimate.[62] |
S0410 | Fysbis |
Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier.[63] |
G0047 | Gamaredon Group |
Gamaredon Group has used legitimate process names to hide malware including |
S0666 | Gelsemium |
Gelsemium has named malicious binaries |
S0493 | GoldenSpy |
GoldenSpy's setup file installs initial executables under the folder |
S0588 | GoldMax |
GoldMax has used filenames that matched the system name, and appeared as a scheduled task impersonating systems management software within the corresponding ProgramData subfolder.[67][68] |
S0477 | Goopy |
Goopy has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe.[11] |
S0531 | Grandoreiro |
Grandoreiro has named malicious browser extensions and update files to appear legitimate.[69][70] |
S0690 | Green Lambert |
Green Lambert has been disguised as a Growl help file.[71][72] |
S0697 | HermeticWiper |
HermeticWiper has used the name |
S0698 | HermeticWizard |
HermeticWizard has been named |
S0070 | HTTPBrowser |
HTTPBrowser's installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.[74] |
S1022 | IceApple |
IceApple .NET assemblies have used |
G0119 | Indrik Spider |
Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.[76] |
S0259 | InnaputRAT |
InnaputRAT variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe.[77] |
S0260 | InvisiMole |
InvisiMole has disguised its droppers as legitimate software or documents, matching their original names and locations, and saved its files as mpr.dll in the Windows folder.[78][79] |
S0015 | Ixeshe |
Ixeshe has used registry values and file names associated with Adobe software, such as AcroRd32.exe.[80] |
G0004 | Ke3chang |
Ke3chang has dropped their malware into legitimate installed software paths including: |
S0526 | KGH_SPY | |
G0094 | Kimsuky |
Kimsuky has renamed malware to legitimate names such as |
S0669 | KOCTOPUS |
KOCTOPUS has been disguised as legitimate software programs associated with the travel and airline industries.[84] |
S0356 | KONNI |
KONNI has created a shortcut called "Anti virus service.lnk" in an apparent attempt to masquerade as a legitimate file.[85] |
G0032 | Lazarus Group |
Lazarus Group has renamed malicious code to disguise it as Microsoft's narrator and other legitimate files.[86][87] |
S0395 | LightNeuron |
LightNeuron has used filenames associated with Exchange and Outlook for binary and configuration files, such as |
S0582 | LookBack |
LookBack has a C2 proxy tool that masquerades as |
G1014 | LuminousMoth |
LuminousMoth has disguised their exfiltration malware as |
S0409 | Machete |
Machete renamed payloads to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python executables.[91][92] |
G0095 | Machete |
Machete's Machete MSI installer has masqueraded as a legitimate Adobe Acrobat Reader installer.[93] |
G0059 | Magic Hound |
Magic Hound has used |
S0652 | MarkiRAT |
MarkiRAT can masquerade as |
S0500 | MCMD | |
S0459 | MechaFlounder |
MechaFlounder has been downloaded as a file named lsass.exe, which matches the legitimate Windows file.[98] |
G0045 | menuPass |
menuPass has been seen changing malicious files to appear legitimate.[99] |
S0455 | Metamorfo |
Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer and has masqueraded payloads as OneDrive, WhatsApp, or Spotify, for example.[100][101] |
S0084 | Mis-Type |
Mis-Type saves itself as a file named |
S0083 | Misdat |
Misdat saves itself as a file named |
G0069 | MuddyWater |
MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender.[104][105][106] |
G0129 | Mustang Panda |
Mustang Panda has used names like |
G0019 | Naikon |
Naikon has disguised malicious programs as Google Chrome, Adobe, and VMware executables.[108] |
S0630 | Nebulae |
Nebulae uses functions named |
S0198 | NETWIRE |
NETWIRE has masqueraded as legitimate software including TeamViewer and macOS Finder.[109] |
S1090 | NightClub |
NightClub has chosen file names to appear legitimate including EsetUpdate-0117583943.exe for its dropper.[110] |
S0353 | NOKKI |
NOKKI is written to %LOCALAPPDATA%\MicroSoft Updatea\svServiceUpdate.exe prior being executed in a new process in an apparent attempt to masquerade as a legitimate folder and file.[111] |
S0340 | Octopus |
Octopus has been disguised as legitimate programs, such as Java and Telegram Messenger.[112][113] |
S0138 | OLDBAIT |
OLDBAIT installs itself in |
C0012 | Operation CuckooBees |
During Operation CuckooBees, the threat actors renamed a malicious executable to |
C0006 | Operation Honeybee |
During Operation Honeybee, the threat actors used a legitimate Windows executable and secure directory for their payloads to bypass UAC.[116] |
C0013 | Operation Sharpshooter |
During Operation Sharpshooter, threat actors installed Rising Sun in the Startup folder and disguised it as |
C0014 | Operation Wocao |
During Operation Wocao, the threat actors renamed some tools and executables to appear as legitimate programs.[118] |
S0402 | OSX/Shlayer |
OSX/Shlayer can masquerade as a Flash Player update.[119][120] |
S0072 | OwaAuth |
OwaAuth uses the filename owaauth.dll, which is a legitimate file that normally resides in |
G0040 | Patchwork |
Patchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as "Net Monitor."[122] They have also dropped QuasarRAT binaries as files named microsoft_network.exe and crome.exe.[123] |
S1050 | PcShare |
PcShare has been named |
S0587 | Penquin |
Penquin has mimicked the Cron binary to hide itself on compromised systems.[124] |
S0501 | PipeMon |
PipeMon modules are stored on disk with seemingly benign names including use of a file extension associated with a popular word processor.[125] |
S0013 | PlugX |
PlugX has been disguised as legitimate Adobe and PotPlayer files.[126] |
S0453 | Pony |
Pony has used the Adobe Reader icon for the downloaded file to look more trustworthy.[127] |
G0033 | Poseidon Group |
Poseidon Group tools attempt to spoof anti-virus processes as a means of self-defense.[128] |
S1046 | PowGoop |
PowGoop has used a DLL named Goopdate.dll to impersonate a legitimate Google update file.[129] |
G0056 | PROMETHIUM |
PROMETHIUM has disguised malicious installer files by bundling them with legitimate software installers.[130][131] |
S0196 | PUNCHBUGGY |
PUNCHBUGGY mimics filenames from %SYSTEM%\System32 to hide DLLs in %WINDIR% and/or %TEMP%.[132][133] |
S1032 | PyDCrypt |
PyDCrypt has dropped DCSrv under the |
S0583 | Pysa |
Pysa has executed a malicious executable by naming it svchost.exe.[135] |
S0269 | QUADAGENT |
QUADAGENT used the PowerShell filenames |
S1084 | QUIETEXIT |
QUIETEXIT has attempted to change its name to |
S0565 | Raindrop |
Raindrop was installed under names that resembled legitimate Windows file and directory names.[138][139] |
S0629 | RainyDay |
RainyDay has used names to mimic legitimate software including "vmtoolsd.exe" to spoof Vmtools.[108] |
S0458 | Ramsay | |
S0495 | RDAT | |
S0125 | Remsec |
The Remsec loader implements itself with the name Security Support Provider, a legitimate Windows function. Various Remsec .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare. Remsec also disguised malicious modules using similar filenames as custom network encryption software on victims.[143][144] |
S0496 | REvil | |
G0106 | Rocke |
Rocke has used shell scripts which download mining executables and saves them with the filename "java".[146] |
S1078 | RotaJakiro |
RotaJakiro has used the filename |
S0446 | Ryuk |
Ryuk has constructed legitimate appearing installation folder paths by calling |
S0085 | S-Type |
S-Type may save itself as a file named |
S1018 | Saint Bot |
Saint Bot has been disguised as a legitimate executable, including as Windows SDK.[149] |
G0034 | Sandworm Team |
Sandworm Team has avoided detection by naming a malicious binary explorer.exe.[150][151] |
S1019 | Shark |
Shark binaries have been named |
S0445 | ShimRatReporter |
ShimRatReporter spoofed itself as |
S0589 | Sibot |
Sibot has downloaded a DLL to the |
G1008 | SideCopy |
SideCopy has used a legitimate DLL file name, |
G0121 | Sidewinder |
Sidewinder has named malicious files |
G0091 | Silence | |
S0468 | Skidmap |
Skidmap has created a fake |
S0533 | SLOTHFULMEDIA |
SLOTHFULMEDIA has mimicked the names of known executables, such as mediaplayer.exe.[157] |
S1035 | Small Sieve |
Small Sieve can use variations of Microsoft and Outlook spellings, such as "Microsift", in its file names to avoid detection.[158] |
C0024 | SolarWinds Compromise |
During the SolarWinds Compromise, APT29 renamed software and DLLs with legitimate names to appear benign.[159][160] |
G0054 | Sowbug |
Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory |
S0058 | SslMM |
To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an "Office Start," "Yahoo Talk," "MSN Gaming Z0ne," or "MSN Talk" shortcut.[162] |
S0188 | Starloader |
Starloader has masqueraded as legitimate software update packages such as Adobe Acrobat Reader and Intel.[161] |
S1034 | StrifeWater |
StrifeWater has been named |
S0491 | StrongPity |
StrongPity has been bundled with legitimate software installation files for disguise.[130] |
S1042 | SUGARDUMP |
SUGARDUMP has been named |
S0559 | SUNBURST |
SUNBURST created VBScripts that were named after existing services or folders to blend into legitimate activities.[139] |
S0562 | SUNSPOT |
SUNSPOT was identified on disk with a filename of |
S0578 | SUPERNOVA |
SUPERNOVA has masqueraded as a legitimate SolarWinds DLL.[166][167] |
G1018 | TA2541 |
TA2541 has used file names to mimic legitimate Windows files or system functionality.[168] |
S0586 | TAINTEDSCRIBE |
The TAINTEDSCRIBE main executable has disguised itself as Microsoft’s Narrator.[86] |
S1011 | Tarrask |
Tarrask has masqueraded as executable files such as |
G0139 | TeamTNT |
TeamTNT has replaced .dockerd and .dockerenv with their own scripts and cryptocurrency mining software.[170] |
S0560 | TEARDROP |
TEARDROP files had names that resembled legitimate Window file and directory names.[171][139] |
G0088 | TEMP.Veles |
TEMP.Veles has renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.[172] |
S0595 | ThiefQuest |
ThiefQuest prepends a copy of itself to the beginning of an executable file while maintaining the name of the executable.[173][174] |
S0665 | ThreatNeedle |
ThreatNeedle chooses its payload creation path from a randomly selected service name from netsvc.[175] |
S0668 | TinyTurla |
TinyTurla has been deployed as |
G0134 | Transparent Tribe |
Transparent Tribe can mimic legitimate Windows directories by using the same icons and names.[177] |
G0081 | Tropic Trooper |
Tropic Trooper has hidden payloads in Flash directories and fake installer files.[178] |
S0386 | Ursnif |
Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.[179] |
S0136 | USBStealer |
USBStealer mimics a legitimate Russian program called USB Disk Security.[180] |
G1017 | Volt Typhoon |
Volt Typhoon has used legitimate looking filenames for compressed copies of the ntds.dit database and used names including cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe for the Earthworm and Fast Reverse Proxy tools.[181][182] |
G0107 | Whitefly |
Whitefly has named the malicious DLL the same name as DLLs belonging to legitimate software from various security vendors.[183] |
S0141 | Winnti for Windows |
A Winnti for Windows implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.[184] |
G0090 | WIRTE |
WIRTE has named a first stage dropper |
S0086 | ZLib |
ZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules.[102] |
ID | Mitigation | Description |
---|---|---|
M1045 | Code Signing |
Require signed binaries and images. |
M1038 | Execution Prevention |
Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed. |
M1022 | Restrict File and Directory Permissions |
Use file system access controls to protect folders such as C:\Windows\System32. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0022 | File | File Metadata |
Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect. |
DS0007 | Image | Image Metadata |
In containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names.[186] Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users. |
DS0009 | Process | Process Creation |
Monitor for newly executed processes that may match or approximate the name or location of legitimate files or resources when naming/placing them. Looks for mismatches between process names and their image paths.Malware authors often use this technique to hide malicious executables behind legitimate Windows executable names (e.g. lsass.exe, svchost.exe, etc).There are several sub-techniques, but this analytic focuses on Match Legitimate Name or Location only. Note: With process monitoring, hunt for processes matching these criteria:
Examples (true positive):C:\Users\administrator\svchost.exe To make sure the rule doesn’t miss cases where the executable would be started from a sub-folder of these locations, the entire path is checked for the process path. The below example should be considered as suspicious: C:\Windows\System32\srv\svchost.exe Analytic 1 - Common Windows Process Masquerading
|
Process Metadata |
Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. |