Masquerading (T1036) is defined by ATT&CK as follows:

“Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.”

Malware authors often use this technique to hide malicious executables behind legitimate Windows executable names (e.g. lsass.exe, svchost.exe, etc).

There are several sub-techniques, but this analytic focuses on Match Legitimate Name or Location only.

Analytic Methodology

With process monitoring, hunt for processes matching these criteria:

  • process name is svchost.exe, smss.exe, wininit.exe, taskhost.exe, etc.
  • process path is not C:\Windows\System32\ or C:\Windows\SysWow64\

Examples (true positive):

C:\Users\administrator\svchost.exe

To make sure the rule doesn’t miss cases where the executable would be started from a sub-folder of these locations, the entire path is checked for the process path. The below example should be considered as suspicious:

C:\Windows\System32\srv\svchost.exe

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Masquerading Match Legitimate Name or Location Defense Evasion Moderate

Data Model References

Object Action Field
process create exe
process create image_path
process access exe
process access image_path
process terminate exe
process terminate image_path

Implementations

Pseudocode - Common Windows Process Masquerading (Pseudocode, CAR native)

Looks for mismatches between process names and their image paths.

processes = search Process:*
suspicious_processes = filter processes where (
  (exe=svchost.exe AND (image_path!="C:\\Windows\\System32\\svchost.exe" OR process_path!="C:\\Windows\\SysWow64\\svchost.exe"))
  OR (exe=smss.exe AND image_path!="C:\\Windows\\System32\\smss.exe")
  OR (exe=wininit.exe AND image_path!="C:\\Windows\\System32\\wininit.exe")
  OR (exe=taskhost.exe AND image_path!="C:\\Windows\\System32\\taskhost.exe")
  OR (exe=lasass.exe AND image_path!="C:\\Windows\\System32\\lsass.exe")
  OR (exe=winlogon.exe AND image_path!="C:\\Windows\\System32\\winlogon.exe")
  OR (exe=csrss.exe AND image_path!="C:\\Windows\\System32\\csrss.exe")
  OR (exe=services.exe AND image_path!="C:\\Windows\\System32\\services.exe")
  OR (exe=lsm.exe AND image_path!="C:\\Windows\\System32\\lsm.exe")
  OR (exe=explorer.exe AND image_path!="C:\\Windows\\explorer.exe")
  ) 
output suspicious_processes

Splunk Search - Common Windows Process Masquerading (Splunk, Sysmon native)

Splunk search version of the above pseudocode.

index=__your_sysmon_index__ source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND (
(process_name=svchost.exe AND NOT (process_path="C:\\Windows\\System32\\svchost.exe" OR process_path="C:\\Windows\\SysWow64\\svchost.exe"))
OR (process_name=smss.exe AND NOT process_path="C:\\Windows\\System32\\smss.exe")
OR (process_name=wininit.exe AND NOT process_path="C:\\Windows\\System32\\wininit.exe")
OR (process_name=taskhost.exe AND NOT process_path="C:\\Windows\\System32\\taskhost.exe")
OR (process_name=lasass.exe AND NOT process_path="C:\\Windows\\System32\\lsass.exe")
OR (process_name=winlogon.exe AND NOT process_path="C:\\Windows\\System32\\winlogon.exe")
OR (process_name=csrss.exe AND NOT process_path="C:\\Windows\\System32\\csrss.exe")
OR (process_name=services.exe AND NOT process_path="C:\\Windows\\System32\\services.exe")
OR (process_name=lsm.exe AND NOT process_path="C:\\Windows\\System32\\lsm.exe")
OR (process_name=explorer.exe AND NOT process_path="C:\\Windows\\explorer.exe")
)