Detect Match Legitimate Resource Name or Location in Google Chronicle
Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.005 Match Legitimate Resource Name or Location
- Canonical reference
- https://attack.mitre.org/techniques/T1036/005/
YARA-L Detection Query
rule t1036_005_masquerading_system_process_name {
meta:
author = "Argus Detection Engineering"
description = "Detects processes using legitimate Windows system process names executing from non-standard paths (outside System32/SysWOW64), or with unexpected parent process relationships. Covers MITRE ATT&CK T1036.005."
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1036.005"
severity = "HIGH"
priority = "HIGH"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.process.file.full_path = $proc_path
$e.target.process.file.full_path = $target_path
$e.target.process.file.names[0] = $proc_name
// Match known system process names
re.regex($proc_name, `(?i)^(svchost|csrss|lsass|services|smss|wininit|conhost|dllhost|RuntimeBroker|msdtc|wuauclt|taskhostw|spoolsv)\.exe$`)
// Not in standard system paths
not re.regex($target_path, `(?i)^C:\\Windows\\(System32|SysWOW64)\\`)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1036.005 masquerading by matching system-critical process names (svchost, lsass, csrss, services, etc.) that execute from file paths outside the standard Windows System32 and SysWOW64 directories, using UDM PROCESS_LAUNCH events.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise software packaging tools that extract and execute system process copies from temp or staging directories as part of installation verification steps
- Incident response tooling that copies system binaries to analysis directories for hash comparison and version verification workflows
- Legacy application compatibility shims or virtualization layers that remap system process paths to alternate locations on non-standard Windows configurations
Other platforms for T1036.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Execute svchost.exe from User Temp Directory
Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\svchost.exe, ParentImage not services.exe. OriginalFileName=Cmd.Exe mismatch with current name svchost.exe.
- Test 2Masquerade as lsass.exe in AppData
Expected signal: Sysmon Event ID 1: Process Create with Image=%APPDATA%\lsass.exe. Parent process will not be wininit.exe (ParentMismatch=TRUE).
- Test 3Masquerade Process Name on Linux
Expected signal: Process creation event showing /tmp/kworker executing. On systems with auditd, SYSCALL execve event for /tmp/kworker. /proc/<PID>/exe will point to /tmp/kworker.
References (6)
- https://attack.mitre.org/techniques/T1036/005/
- https://www.elastic.co/blog/how-hunt-masquerade-ball
- https://www.aquasec.com/blog/leveraging-kubernetes-rbac-to-backdoor-clusters/
- https://x.com/ItsReallyNick/status/1055321652777619457
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md
- https://docs.docker.com/engine/reference/commandline/images/
Unlock Pro Content
Get the full detection package for T1036.005 including response playbook, investigation guide, and atomic red team tests.