Common Information
| Type | Value |
|---|---|
| Value |
Masquerading - T1036 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed. One variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs. This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate. ===Windows=== In another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke) An example of abuse of trusted locations in Windows would be the <code>C:\Windows\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include "explorer.exe" and "svchost.exe". ===Linux=== Another variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten) An example of abuse of trusted locations in Linux would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binares include "rsyncd" and "dbus-inotifier". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis) Detection: Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect. If file names are mismatched between the binary name on disk and the binary's resource section, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries could provide useful leads, but may not always be indicative of malicious activity. (Citation: Endgame Masquerade Ball) Platforms: Linux, macOS, Windows Data Sources: File monitoring, Process monitoring, Binary file metadata Defense Bypassed: Whitelisting by file name or path Contributors: ENDGAME, Bartosz Jerzman |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-10-10 | 22 | Secure Your World with Phishing Resistant Passkeys | ||
| Details | Website | 2024-10-10 | 182 | Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware | CTF导航 | ||
| Details | Website | 2024-10-09 | 9 | BPFDoor Linux Malware Detected by AhnLab EDR - ASEC | ||
| Details | Website | 2024-10-09 | 36 | Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware | ||
| Details | Website | 2024-10-09 | 0 | Operation MiddleFloor: Unmasking the Disinformation Campaign Targeting Moldova's National Elections - Check Point Blog | ||
| Details | Website | 2024-10-08 | 1 | North Korean APT Hackers Exploiting DMARC Misconfigs For Phishing Attacks | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting | ||
| Details | Website | 2024-10-08 | 3 | Active Ransomware Threat Groups Up 30% in 2024 | #ransomware | #cybercrime | National Cyber Security Consulting | ||
| Details | Website | 2024-10-08 | 12 | File hosting services misused for identity phishing | Microsoft Security Blog | ||
| Details | Website | 2024-10-08 | 0 | Mukesh Ambani, Virat Kohli, and Ronaldo: How Scammers Use Deepfakes to Promote Fake Gaming Apps - CloudSEK News | ||
| Details | Website | 2024-10-08 | 21 | MisterioLNK: The Open-Source Builder Behind Malicious Loaders - Cyble | ||
| Details | Website | 2024-10-07 | 14 | Crypto Security Truths: Issue 14 | ||
| Details | Website | 2024-10-07 | 141 | Mind the (air) gap: GoldenJackal gooses government guardrails | ||
| Details | Website | 2024-10-06 | 29 | Blue Team Labs Online — Suspicious USB Stick Challenge Walkthrough | ||
| Details | Website | 2024-10-06 | 4 | Perfctl Malware: A Stealthy Threat Targeting Linux Servers Globally | ||
| Details | Website | 2024-10-06 | 1 | The Good, the Bad and the Ugly in Cybersecurity | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting | ||
| Details | Website | 2024-10-04 | 100 | Агент SIEM используется в атаках SilentCryptoMiner | ||
| Details | Website | 2024-10-04 | 0 | U.S. Blocks 100+ Domains Linked to ColdRiver Hacking Group Tied to FSB | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting | ||
| Details | Website | 2024-10-04 | 34 | VILSA STEALER - CYFIRMA | ||
| Details | Website | 2024-10-04 | 1 | Prince Ransomware Hits UK and US via Royal Mail Phishing Scam | ||
| Details | Website | 2024-10-04 | 100 | SIEM agent being used in SilentCryptoMiner attacks | ||
| Details | Website | 2024-10-04 | 7 | Linux Malware perfctl Attacking Millions of Linux Servers | ||
| Details | Website | 2024-10-04 | 0 | Report says cybercrime rings a signature trend in supply chain landscape | #cybercrime | #infosec | National Cyber Security Consulting | ||
| Details | Website | 2024-10-04 | 1 | The Good, the Bad and the Ugly in Cybersecurity - Week 40 | ||
| Details | Website | 2024-10-04 | 0 | International Phishing Ring Dismantled in Major Interpol Sweep | ||
| Details | Website | 2024-10-03 | 11 | My Recent Journey In Detecting Cobalt Strike |