CAR-2021-02-12: Common Windows Process Masquerading
sebastiendamaye opened this issue · comments
CAR-2021-02-12: Common Windows Process Masquerading
Masquerading (T1036) is defined by MITRE ATT&CK as follows:
Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Malware authors often use this technique to hide malicious executables behind legitimate Windows executable's names (e.g. lsass.exe, svchost.exe, ...).
There are several sub-techniques, but this analytics focuses on Match Legitimate Name or Location only.
ATT&CK Coverage
| Technique | Sub-Technique | Level of Coverage |
|---|---|---|
| Masquerading | Match Legitimate Name or Location | Moderate |
Data Model Mappings
| Object | Action | Field |
|---|---|---|
| process | create | command_line |
| process | create | exe |
Analytic Code
With process monitoring, hunt for processes matching these criteria:
- process name is
svchost.exe,smss.exe,wininit.exe,taskhost.exe, ... - process path is not
C:\Windows\System32\orC:\Windows\SysWow64\
Examples:
C:\Users\administrator\svchost.exe
To make sure the rule doesn't miss cases where the executable would be started from a sub-folder of these locations, the entire path is checked for the process path. The below example should be considered as suspicious:
C:\Windows\System32\srv\svchost.exe
Splunk Search (Splunk, Sysmon native)
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND (
(process_name=svchost.exe AND NOT (process_path="C:\\Windows\\System32\\svchost.exe" OR process_path="C:\\Windows\\SysWow64\\svchost.exe"))
OR (process_name=smss.exe AND NOT process_path="C:\\Windows\\System32\\smss.exe")
OR (process_name=wininit.exe AND NOT process_path="C:\\Windows\\System32\\wininit.exe")
OR (process_name=taskhost.exe AND NOT process_path="C:\\Windows\\System32\\taskhost.exe")
OR (process_name=lsass.exe AND NOT process_path="C:\\Windows\\System32\\lsass.exe")
OR (process_name=winlogon.exe AND NOT process_path="C:\\Windows\\System32\\winlogon.exe")
OR (process_name=csrss.exe AND NOT process_path="C:\\Windows\\System32\\csrss.exe")
OR (process_name=services.exe AND NOT process_path="C:\\Windows\\System32\\services.exe")
OR (process_name=lsm.exe AND NOT process_path="C:\\Windows\\System32\\lsm.exe")
OR (process_name=explorer.exe AND NOT process_path="C:\\Windows\\explorer.exe")
)
@sebastiendamaye thanks! We'll convert this to our YAML and merge it in shortly.
Added in fd00cd9. Thanks again @sebastiendamaye !
Typo in CAR-2021-04-001: Common Windows Process Masquerading !!
Greetings, this comment will probably be lost since the issue is closed but I found a typo in the pseudo code as well as the Splunk query when implementing this analytic.
OR (exe=lasass.exe AND image_path!="C:\\Windows\\System32\\lsass.exe")
Typo is exe=lasass.exe instead of exe=lsass.exe
Thank you for ur contributions 🙏.
Typo in CAR-2021-04-001: Common Windows Process Masquerading !!
Greetings, this comment will probably be lost since the issue is closed but I found a typo in the pseudo code as well as the Splunk query when implementing this analytic.
OR (exe=lasass.exe AND image_path!="C:\\Windows\\System32\\lsass.exe")Typo is exe=lasass.exe instead of exe=lsass.exe
Thank you for ur contributions pray.
Thank you AlaZegnani. I've updated the content in the initial request. Not sure if it will be reflexted on the MITRE CAR portal though.