# T1036 Masquerading

-----------------------------------------------------------------------

## Technique Description

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)

## Technique Detection

Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.

If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)

Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE”.

-----------------------------------------------------------------------

### Tactics:

  *   Defense-Evasion

### Platforms:

  * Linux

  * macOS

  * Windows

  * Containers

### Defenses Bypassed:

  * Application Control

### Data Sources:

  * **Scheduled Job:** Scheduled Job Metadata

  * **Service:** Service Creation

  * **File:** File Modification

  * **Service:** Service Metadata

  * **Command:** Command Execution

  * **Process:** Process Metadata

  * **File:** File Metadata

  * **Image:** Image Metadata

  * **Scheduled Job:** Scheduled Job Modification

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| LazyScripter | [LazyScripter](https://attack.mitre.org/groups/G0140) has used several different security software icons to disguise executables.(Citation: MalwareBytes LazyScripter Feb 2021) | 
| Nomadic Octopus | [Nomadic Octopus](https://attack.mitre.org/groups/G0133) attempted to make [Octopus](https://attack.mitre.org/software/S0340) appear as a  Telegram Messenger with a Russian interface.(Citation: Securelist Octopus Oct 2018)| 
| ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has spoofed legitimate applications in phishing lures and changed file extensions to conceal  installation of malware.(Citation: Google Election Threats October 2020)(Citation: Zscaler APT31 Covid-19 October 2020)| 
| TA551 | [TA551](https://attack.mitre.org/groups/G0127) has masked malware DLLs as dat and jpg files.(Citation: Unit 42 TA551 Jan 2021)| 
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) set the hostnames of its C2 infrastructure to match legitimate hostnames in the victim environment. They also primarily used IP addresses originating from the same country as the victim for their VPN infrastructure.(Citation: FireEye SUNBURST Backdoor December 2020)| 
| Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has used icons mimicking MS Office files to mask malicious executables.(Citation: objective-see windtail1 dec 2018) [Windshift](https://attack.mitre.org/groups/G0112) has also attempted to hide executables by changing the file extension to ".scr" to mimic Windows screensavers.(Citation: BlackBerry Bahamut)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has disguised its C2 addresses as the websites of shopping malls, governments, universities, and others.(Citation: KISA Operation Muzabi)| 
| PLATINUM | [PLATINUM](https://attack.mitre.org/groups/G0068) has renamed rar.exe to avoid detection.(Citation: Twitter ItsReallyNick Platinum Masquerade)| 
| BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has masked executables with document file icons including Word and Adobe PDF.(Citation: Trend Micro Tick November 2019)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) has disguised a Cobalt Strike beacon as a Flash Installer.(Citation: Cybereason Cobalt Kitty 2017)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used .doc file extensions to mask malicious executables.(Citation: Check Point APT34 April 2021)| 
| menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used [esentutl](https://attack.mitre.org/software/S0404) to change file extensions to their true type that were masquerading as .txt files.(Citation: FireEye APT10 Sept 2018) | 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has created accounts disguised as legitimate backup and service accounts as well as an email administration account.(Citation: US-CERT TA18-074A)| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has disguised malicious template files as JPEG files to avoid detection.(Citation: McAfee Lazarus Jul 2020)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has set the hostnames of its C2 infrastructure to match legitimate hostnames in the victim environment. They have also used IP addresses originating from the same country as the victim for their VPN infrastructure.(Citation: FireEye SUNBURST Backdoor December 2020)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) has renamed the WinRAR utility to avoid detection.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1036)

  * [Twitter Itsreallynick Masquerading Update](https://twitter.com/ItsReallyNick/status/1055321652777619457), Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.

  * [Elastic Masquerade Ball](http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf), Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.

  * [Lolbas Main Site](https://lolbas-project.github.io/), LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.

  * [Capec](https://capec.mitre.org/data/definitions/177.html)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will obfuscate malicious code inside randomly generated files or through PowerShell.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- While file paths can be useful for detection, they can also be prone to false positives in certain cases.

## Analytical References

  * [Atomic Red Team T1036.003](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1036.003)
  * [Atomic Red Team T1036.006](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1036.006)
  * [Masquerading- Threat Detection Report (redcanary)](https://redcanary.com/threat-detection-report/techniques/masquerading/)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.
- Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE".
- Binary file metadata is probably the most useful data source for observing threats that leverage Masquerading. Certain elements of a binary’s metadata—internal names and signature information are good examples—are reliable indicators of Masquerading.

#### Analytic 1

  * **Information:** Detect renamed file execution

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** WinLogBeats provides a nice, usable field for SYSMON event ID 1. Checking the existence of the OriginalFileName will yield many results, but identifying any differences in the process name would be a good indicator of suspicious activity

  * **Query:** ```winlog.event_data.OriginalFileName != process.name```

#### Analytic 2

  * **Information:** Detect Sysmon Tools that may have been renamed (like psexec)

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** This can be an indicator that a Microsoft Sysinternals tool has been renamed to masquerade as something else.

  * **Query:** ```process.command.line : *accepteula*```

#### Analytic 3

  * **Information:** Process/Directory mismatch

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** The key to this analytic will be to look for whitelisted processes that execute from unexpected paths (process.working_directory)
      - This should probably be scripted and not manually hunted for unless it's tied to an investigation/suspicious activity.

  * **Query:** `process.executable : *`
  



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

