# T1036.004 Masquerade Task or Service

-----------------------------------------------------------------------

## Technique Description

Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.

Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)

## Technique Detection

Look for changes to tasks and services that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks or services may show up as outlier processes that have not been seen before when compared against historical data. Monitor processes and command-line arguments for actions that could be taken to create tasks or services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

-----------------------------------------------------------------------

### Tactics:

  *   Defense-Evasion

### Platforms:

  * Windows

  * Linux

  * macOS

### Adversary Required Permissions:

  * User

  * Administrator

  * SYSTEM

### Data Sources:

  * **Scheduled Job:** Scheduled Job Metadata

  * **Service:** Service Creation

  * **Scheduled Job:** Scheduled Job Modification

  * **Command:** Command Execution

  * **Service:** Service Metadata

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| BackdoorDiplomacy | [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has disguised their backdoor droppers with naming conventions designed to blend into normal operations.(Citation: ESET BackdoorDiplomacy Jun 2021)| 
| ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has created a run key named <code>Dropbox Update Setup</code> to mask a persistence mechanism for a malicious binary.(Citation: Zscaler APT31 Covid-19 October 2020)| 
| Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) named a shellcode loader binary <code>svchast.exe</code> to spoof the legitimate <code>svchost.exe</code>.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020) | 
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) named tasks <code>\Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager</code> in order to appear legitimate.(Citation: Volexity SolarWinds)| 
| Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has named the task for a reverse proxy lpupdate to appear legitimate.(Citation: CISA AA20-259A Iran-Based Actor September 2020)| 
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used scheduled tasks to install [TrickBot](https://attack.mitre.org/software/S0266), using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.(Citation: CrowdStrike Grim Spider May 2019) It has also used common document file names for other malware binaries.(Citation: FireEye KEGTAP SINGLEMALT October 2020)| 
| APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has disguised its scheduled tasks as those used by Google.(Citation: QiAnXin APT-C-36 Feb2019)| 
| APT41 | [APT41](https://attack.mitre.org/groups/G0096) has created services to appear as benign system tools.(Citation: Group IB APT 41 June 2021)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has disguised services to appear as benign software or related to operating system functions.(Citation: CISA AA20-301A Kimsuky)| 
| PROMETHIUM | [PROMETHIUM](https://attack.mitre.org/groups/G0056) has named services to appear legitimate.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) has used hidden or non-printing characters to help masquerade service names, such as appending a Unicode no-break space character to a legitimate service name. [APT32](https://attack.mitre.org/groups/G0050) has also impersonated the legitimate Flash installer file name "install_flashplayer.exe".(Citation: FireEye APT32 May 2017)| 
| FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has created a scheduled task named “AdobeFlashSync” to establish persistence.(Citation: Morphisec FIN7 June 2017)| 
| FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has renamed the "psexec" service name to "mstdc" to masquerade as a legitimate Windows service.(Citation: FireEye FIN6 Apr 2019)	| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used a scheduled task named `SRCheck` to mask the execution of a malicious .dll.(Citation: ESET Twitter Ida Pro Nov 2021)| 
| Naikon | [Naikon](https://attack.mitre.org/groups/G0019) renamed a malicious service <code>taskmgr</code> to appear to be a legitimate version of Task Manager.(Citation: Bitdefender Naikon April 2021)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) named tasks <code>\Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager</code> in order to appear legitimate.(Citation: Volexity SolarWinds)| 
| Carbanak | [Carbanak](https://attack.mitre.org/groups/G0008) has copied legitimate service names to use for malicious services.(Citation: Kaspersky Carbanak)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1036/004)

  * [Technet Schtasks](https://technet.microsoft.com/en-us/library/bb490996.aspx), Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016.

  * [Systemd Service Units](https://www.freedesktop.org/software/systemd/man/systemd.service.html), Freedesktop.org. (n.d.). systemd.service — Service unit configuration. Retrieved March 16, 2020.

  * [Palo Alto Shamoon Nov 2016](http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/), Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.

  * [Fysbis Dr Web Analysis](https://vms.drweb.com/virus/?i=4276269), Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Information Here

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- Information Here

## Analytical References

  * [Other references: All custom links should go here](example.lan)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

