Detect Match Legitimate Resource Name or Location in Elastic Security
Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.005 Match Legitimate Resource Name or Location
- Canonical reference
- https://attack.mitre.org/techniques/T1036/005/
Elastic Detection Query
process where event.type == "start"
and process.name in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe", "wininit.exe", "conhost.exe", "dllhost.exe", "RuntimeBroker.exe", "msdtc.exe", "wuauclt.exe", "taskhostw.exe", "spoolsv.exe")
and not (
process.executable like~ "C:\\Windows\\System32\\*" or
process.executable like~ "C:\\Windows\\SysWOW64\\*"
)
or (
process.name == "svchost.exe" and process.parent.name != "services.exe" and
process.executable like~ "C:\\Windows\\System32\\svchost.exe"
)
or (
process.name == "lsass.exe" and process.parent.name != "wininit.exe" and
process.executable like~ "C:\\Windows\\System32\\lsass.exe"
)
or (
process.name == "csrss.exe" and process.parent.name not in ("smss.exe", "csrss.exe") and
process.executable like~ "C:\\Windows\\System32\\csrss.exe"
)Detects processes using legitimate Windows system process names (svchost.exe, lsass.exe, csrss.exe, etc.) that are either executing from non-standard paths outside System32/SysWOW64, or exhibiting unexpected parent-child process relationships inconsistent with normal Windows process hierarchy.
Data Sources
Required Tables
False Positives & Tuning
- Security or AV products that launch wrapper processes with system process names in their own installation directories for sandboxing or hooking purposes
- Software deployment tools (e.g., SCCM, Ansible) that temporarily stage executables in non-standard locations during installation routines
- Virtualization or container runtimes that emulate Windows process hierarchies with modified parent relationships (e.g., Wine, compatibility layers)
Other platforms for T1036.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Execute svchost.exe from User Temp Directory
Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\svchost.exe, ParentImage not services.exe. OriginalFileName=Cmd.Exe mismatch with current name svchost.exe.
- Test 2Masquerade as lsass.exe in AppData
Expected signal: Sysmon Event ID 1: Process Create with Image=%APPDATA%\lsass.exe. Parent process will not be wininit.exe (ParentMismatch=TRUE).
- Test 3Masquerade Process Name on Linux
Expected signal: Process creation event showing /tmp/kworker executing. On systems with auditd, SYSCALL execve event for /tmp/kworker. /proc/<PID>/exe will point to /tmp/kworker.
References (6)
- https://attack.mitre.org/techniques/T1036/005/
- https://www.elastic.co/blog/how-hunt-masquerade-ball
- https://www.aquasec.com/blog/leveraging-kubernetes-rbac-to-backdoor-clusters/
- https://x.com/ItsReallyNick/status/1055321652777619457
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md
- https://docs.docker.com/engine/reference/commandline/images/
Unlock Pro Content
Get the full detection package for T1036.005 including response playbook, investigation guide, and atomic red team tests.