T1036.004 CrowdStrike LogScale · LogScale

Detect Masquerade Task or Service in CrowdStrike LogScale

Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description. Windows services will have a service name as well as a display name. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones, such as 'Windows Update Security', 'Google Chrome Security Update', or 'Microsoft Network Realtime Inspection Service'.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.004 Masquerade Task or Service
Canonical reference
https://attack.mitre.org/techniques/T1036/004/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// CrowdStrike LogScale (Falcon) — Masqueraded Service Installation T1036.004
#event_simpleName = ServiceInstall
| regex(field=ServiceDisplayName, regex="(?i)(windows update security|microsoft network realtime|windows advanced task manager|google chrome security update|windows video service|windows power efficiency|system authorization service|windows management help|microsoft support|windows user service)", as=KnownSuspiciousName)
| regex(field=ServiceDisplayName, regex="(?i)(svchost|update|security|microsoft|google|chrome|adobe).*(service|task|helper|agent)", as=GenericMimicName)
| where KnownSuspiciousName = true OR GenericMimicName = true
| table([timestamp, ComputerName, UserName, ServiceDisplayName, ServiceImagePath, ServiceObjectName, ServiceType, ServiceStartType])
| sort(timestamp, order=desc)

// Alternative: catch masquerade via process ancestry (services.exe spawning unexpected children)
// #event_simpleName = ProcessRollup2
// | where ParentBaseFileName = "services.exe"
// | regex(field=ImageFileName, regex="(?i)(windows update|microsoft network|google chrome|system authorization|windows management)", as=MimickedBinary)
// | where MimickedBinary = true
// | groupBy([ComputerName, UserName, ImageFileName, CommandLine], function=count())
high severity high confidence

CrowdStrike LogScale (CQL) query targeting Falcon ServiceInstall events to detect masqueraded service names. Uses regex matching against known suspicious name patterns and generic vendor-name mimicry. Includes commented alternative query for process ancestry-based detection.

Data Sources

CrowdStrike Falcon EDR (ServiceInstall events)CrowdStrike Falcon ProcessRollup2 eventsFalcon Data Replicator (FDR)

Required Tables

#event_simpleName = ServiceInstall#event_simpleName = ProcessRollup2

False Positives & Tuning

  • Legitimate CrowdStrike sensor updates or other Falcon platform components that may install or update service registrations with names matching the generic pattern
  • Enterprise MDM or endpoint management platforms (Ivanti, ManageEngine) that register management agent services with names containing 'Windows', 'Update', or 'Security'
  • Software with OEM or white-labeled components that adopt Microsoft or Google product naming conventions in their service identifiers during installation
Download portable Sigma rule (.yml)

Other platforms for T1036.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Masquerading Windows Service

    Expected signal: Windows System Event ID 7045: A service was installed with ServiceName=WindowsUpdateSecurity and DisplayName='Windows Update Security Patches'. Sysmon Event ID 12/13: Registry key creation under HKLM\SYSTEM\CurrentControlSet\Services\WindowsUpdateSecurity.

  2. Test 2Create Masquerading Scheduled Task

    Expected signal: Security Event ID 4698: A scheduled task was created with TaskName=AdobeFlashSync. Sysmon Event ID 1: schtasks.exe process creation with /create command line.

  3. Test 3Create Masquerading Systemd Service (Linux)

    Expected signal: File creation event for /etc/systemd/system/dbus-inotifier.service. Process execution of systemctl daemon-reload. Auditd events for write to /etc/systemd/system/.

Last updated: 2026-04-17 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1036.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.005Match Legitimate Resource Name or LocationT1036.006Space after FilenameT1036.007Double File ExtensionT1036.008Masquerade File TypeT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1543.003Windows ServiceT1053.005Scheduled TaskT1543.002Systemd ServiceT1036.005Match Legitimate Resource Name or LocationT1569.002Service Execution

Same Tactic: Defense Evasion

Popular Detections