Detect Masquerade Task or Service in Elastic Security
Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description. Windows services will have a service name as well as a display name. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones, such as 'Windows Update Security', 'Google Chrome Security Update', or 'Microsoft Network Realtime Inspection Service'.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.004 Masquerade Task or Service
- Canonical reference
- https://attack.mitre.org/techniques/T1036/004/
Elastic Detection Query
sequence by host.name with maxspan=5m
[registry where registry.path : ("HKLM\\SYSTEM\\CurrentControlSet\\Services\\*") and
registry.data.strings : ("*svchost*", "*update*", "*security*", "*microsoft*", "*google*", "*chrome*", "*adobe*") and
registry.value : "ImagePath"]
[process where event.type == "start" and process.parent.name : "services.exe"]
// Alternative flat query for service installation events:
process where event.type == "start" and
process.parent.name : "services.exe" and
(
process.name : ("Windows Update Security*", "Microsoft Network Realtime*", "Windows Advanced Task Manager*",
"Google Chrome Security Update*", "Windows Video Service*", "Windows Power Efficiency*",
"System Authorization Service*", "Windows Management Help*", "Microsoft Support*",
"Windows User Service*") or
process.args : ("*svchost*service*", "*update*service*", "*security*service*",
"*microsoft*service*", "*google*service*", "*chrome*service*", "*adobe*service*")
)Detects installation of Windows services with names mimicking legitimate Microsoft, Google, or Adobe services. Uses ECS process and registry event types to identify masqueraded service names spawned under services.exe.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate third-party software installers that create services with names similar to Microsoft or Google products during initial setup
- Enterprise software management tools (SCCM, Tanium) that deploy services with generic descriptive names matching the suspicious patterns
- Security vendors whose agent services use names containing 'update', 'security', or vendor names like 'Microsoft' legitimately
Other platforms for T1036.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Masquerading Windows Service
Expected signal: Windows System Event ID 7045: A service was installed with ServiceName=WindowsUpdateSecurity and DisplayName='Windows Update Security Patches'. Sysmon Event ID 12/13: Registry key creation under HKLM\SYSTEM\CurrentControlSet\Services\WindowsUpdateSecurity.
- Test 2Create Masquerading Scheduled Task
Expected signal: Security Event ID 4698: A scheduled task was created with TaskName=AdobeFlashSync. Sysmon Event ID 1: schtasks.exe process creation with /create command line.
- Test 3Create Masquerading Systemd Service (Linux)
Expected signal: File creation event for /etc/systemd/system/dbus-inotifier.service. Process execution of systemctl daemon-reload. Auditd events for write to /etc/systemd/system/.
References (6)
- https://attack.mitre.org/techniques/T1036/004/
- http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/
- https://vms.drweb.com/virus/?i=4276269
- https://technet.microsoft.com/en-us/library/bb490996.aspx
- https://www.freedesktop.org/software/systemd/man/systemd.service.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md
Unlock Pro Content
Get the full detection package for T1036.004 including response playbook, investigation guide, and atomic red team tests.