T1036 Masquerading Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let KnownSystemBinaries = dynamic(["svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe", "wininit.exe", "winlogon.exe", "explorer.exe", "spoolsv.exe", "taskhost.exe", "taskhostw.exe", "conhost.exe", "dllhost.exe", "RuntimeBroker.exe"]);
let TrustedPaths = dynamic(["C:\\Windows\\System32\\", "C:\\Windows\\SysWOW64\\", "C:\\Windows\\"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (KnownSystemBinaries)
| where not(FolderPath has_any (TrustedPaths))
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine,
         ProcessId, InitiatingProcessId
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Process: Process Metadata Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate software installers that temporarily extract executables with system-like names to temp directories
Windows Subsystem for Linux (WSL) and virtualization software that may run processes with similar names
Software testing and development environments where binaries are compiled with system-like names
Some third-party security tools that use helper processes named after system binaries

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (OriginalFileName IN ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe", "wininit.exe", "winlogon.exe", "explorer.exe", "spoolsv.exe", "taskhost.exe", "taskhostw.exe", "conhost.exe", "dllhost.exe", "RuntimeBroker.exe")
  OR Image IN ("*\\svchost.exe", "*\\csrss.exe", "*\\lsass.exe", "*\\services.exe", "*\\smss.exe", "*\\wininit.exe", "*\\winlogon.exe", "*\\explorer.exe", "*\\spoolsv.exe", "*\\taskhost.exe", "*\\taskhostw.exe", "*\\conhost.exe", "*\\dllhost.exe", "*\\RuntimeBroker.exe"))
  NOT (Image="C:\\Windows\\System32\\*" OR Image="C:\\Windows\\SysWOW64\\*" OR Image="C:\\Windows\\explorer.exe")
| eval ProcessName=mvindex(split(Image, "\\"), -1)
| table _time, host, User, Image, OriginalFileName, CommandLine, ParentImage, ParentCommandLine, ProcessId, ParentProcessId
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Process: Process Metadata Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate software installers that temporarily extract executables with system-like names to temp directories
Windows Subsystem for Linux (WSL) and virtualization software that may run processes with similar names
Software testing and development environments where binaries are compiled with system-like names
Some third-party security tools that use helper processes named after system binaries

Elastic Security (EQL)

eql

process where event.type == "start" and
  process.name in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe", "wininit.exe", "winlogon.exe", "explorer.exe", "spoolsv.exe", "taskhost.exe", "taskhostw.exe", "conhost.exe", "dllhost.exe", "RuntimeBroker.exe") and
  not process.executable like~ ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Windows\\explorer.exe", "C:\\Windows\\winsxs\\*")

high severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent (Windows)

Required Tables

logs-endpoint.events.process-*

False Positives

Software deployment tools or application virtualization platforms (e.g., Citrix, VMware ThinApp) that stage system binaries in application-specific directories
Security testing frameworks or EDR simulation tools that spawn processes from temp directories during evaluation
Custom Windows images or WinPE environments where system binaries reside in non-standard mount paths during imaging workflows

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
       sourceip,
       username,
       "Process Name" AS process_name,
       "Process Path" AS process_path,
       "Parent Process Name" AS parent_process,
       "Command" AS command_line,
       LOGSOURCENAME(logsourceid) AS log_source,
       hostname
FROM events
WHERE LOGSOURCETYPEID = 12 /* Microsoft Windows Security Event Log */
  AND QIDNAME(qid) LIKE '%Process%'
  AND ("Process Name" ILIKE 'svchost.exe'
    OR "Process Name" ILIKE 'csrss.exe'
    OR "Process Name" ILIKE 'lsass.exe'
    OR "Process Name" ILIKE 'services.exe'
    OR "Process Name" ILIKE 'smss.exe'
    OR "Process Name" ILIKE 'wininit.exe'
    OR "Process Name" ILIKE 'winlogon.exe'
    OR "Process Name" ILIKE 'explorer.exe'
    OR "Process Name" ILIKE 'spoolsv.exe'
    OR "Process Name" ILIKE 'taskhost.exe'
    OR "Process Name" ILIKE 'taskhostw.exe'
    OR "Process Name" ILIKE 'conhost.exe'
    OR "Process Name" ILIKE 'dllhost.exe'
    OR "Process Name" ILIKE 'RuntimeBroker.exe')
  AND "Process Path" NOT ILIKE 'C:\Windows\System32\%'
  AND "Process Path" NOT ILIKE 'C:\Windows\SysWOW64\%'
  AND "Process Path" NOT ILIKE 'C:\Windows\explorer.exe'
  AND "Process Path" NOT ILIKE 'C:\Windows\winsxs\%'
LAST 24 HOURS

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (DSM) Sysmon via Universal DSM

Required Tables

events

False Positives

Application packaging tools that extract and execute system utilities from temp directories as part of installation routines
Backup and recovery software that may stage system processes in alternate locations during bare-metal restore operations
Sandboxed application containers or browser-based isolation technologies that redirect system binary paths

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| where EventID = "1" OR EventCode = "1"
| parse field=Message "Image: *\n" as process_path nodrop
| parse field=Message "OriginalFileName: *\n" as original_filename nodrop
| parse field=Message "CommandLine: *\n" as command_line nodrop
| parse field=Message "ParentImage: *\n" as parent_image nodrop
| parse field=Message "User: *\n" as user nodrop
| parse field=Message "ProcessId: *\n" as process_id nodrop
| if(isBlank(process_path), Image, process_path) as process_path
| toUpperCase(process_path) as path_upper
| parse regex field=path_upper "(?<process_name>[^\\\\]+)$" nodrop
| toLowercase(process_name) as process_name_lower
| where process_name_lower in ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe", "wininit.exe", "winlogon.exe", "explorer.exe", "spoolsv.exe", "taskhost.exe", "taskhostw.exe", "conhost.exe", "dllhost.exe", "runtimebroker.exe")
| where !(path_upper matches /^C:\\WINDOWS\\SYSTEM32\\/) 
| where !(path_upper matches /^C:\\WINDOWS\\SYSWOW64\\/)
| where !(path_upper = "C:\\WINDOWS\\EXPLORER.EXE")
| where !(path_upper matches /^C:\\WINDOWS\\WINSXS\\/)
| fields _messageTime, _sourceHost, user, process_path, original_filename, command_line, parent_image, process_id
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector (Windows) Sysmon Event Log via Sumo Logic

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Enterprise software management platforms (e.g., SCCM, Tanium) that copy system utilities to staging directories before execution
Developer workstations running build systems or CI/CD agents that invoke system binaries from project-relative paths
System recovery or forensic tools that execute system binaries from alternate root partitions or recovery media

Google Chronicle / SecOps

yaral

rule t1036_masquerading_system_binary_wrong_path {
  meta:
    author = "df00tech"
    description = "Detects known Windows system binaries executing from non-standard file paths, indicative of masquerading (T1036)"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1036"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path != ""
    (
      re.regex($e.target.process.file.full_path, `(?i)\\svchost\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\csrss\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\lsass\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\services\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\smss\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\wininit\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\winlogon\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\explorer\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\spoolsv\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\taskhost\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\taskhostw\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\conhost\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\dllhost\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\RuntimeBroker\.exe$`)
    )
    not re.regex($e.target.process.file.full_path, `(?i)^[Cc]:\\[Ww]indows\\[Ss]ystem32\\`)
    not re.regex($e.target.process.file.full_path, `(?i)^[Cc]:\\[Ww]indows\\[Ss]ys[Ww][Oo][Ww]64\\`)
    not re.regex($e.target.process.file.full_path, `(?i)^[Cc]:\\[Ww]indows\\[Ww]in[Ss][Xx][Ss]\\`)
    not re.regex($e.target.process.file.full_path, `(?i)^[Cc]:\\[Ww]indows\\[Ee]xplorer\.exe$`)

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Endpoint (via Chronicle Forwarder or EDR integration)

Required Tables

PROCESS_LAUNCH UDM events

False Positives

Windows Subsystem for Linux (WSL) environments where Windows binaries may appear at non-standard Unix-style paths in normalized UDM logs
Endpoint detection and response tools that fork monitored processes and may log them with their own staging paths
Custom enterprise gold images where system binaries are pre-staged to alternative drive letters before sysprep completes

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(svchost|csrss|lsass|services|smss|wininit|winlogon|explorer|spoolsv|taskhost|taskhostw|conhost|dllhost|RuntimeBroker)\.exe$/
| ImageFileName != /(?i)^\\Device\\HarddiskVolume[0-9]+\\Windows\\System32\\/
| ImageFileName != /(?i)^\\Device\\HarddiskVolume[0-9]+\\Windows\\SysWOW64\\/
| ImageFileName != /(?i)^\\Device\\HarddiskVolume[0-9]+\\Windows\\WinSxS\\/
| ImageFileName != /(?i)^\\Device\\HarddiskVolume[0-9]+\\Windows\\explorer\.exe$/
| regex(field=ImageFileName, regex="(?i)(?P<binary_name>[^\\\\]+)$")
| table([@timestamp, ComputerName, UserName, ImageFileName, binary_name, CommandLine, ParentImageFileName, ParentCommandLine, TargetProcessId, ContextProcessId])
| sort(field=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (Windows) CrowdStrike LogScale (Humio)

Required Tables

ProcessRollup2

False Positives

CrowdStrike Falcon sensor self-tests or prevention policy simulations that launch processes from non-standard paths to validate detection coverage
Windows installer packages that temporarily extract and execute system binaries from %TEMP% directories during in-place upgrade sequences
Antivirus or DLP quarantine processes that relocate suspect files including binaries matching system name patterns before remediation

Masquerading

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (12)

Same Tactic: Defense Evasion

Popular Detections