T1036.005 CrowdStrike LogScale · LogScale

Detect Match Legitimate Resource Name or Location in CrowdStrike LogScale

Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.005 Match Legitimate Resource Name or Location
Canonical reference
https://attack.mitre.org/techniques/T1036/005/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)\\(svchost|csrss|lsass|services|smss|wininit|conhost|dllhost|RuntimeBroker|msdtc|wuauclt|taskhostw|spoolsv)\.exe$/
| !ImageFileName = /(?i)^C:\\Windows\\(System32|SysWOW64)\\/
| ParentBaseFileName := replace(ParentImageFileName, /^.*\\/, "")
| ProcessName := replace(ImageFileName, /^.*\\/, "")
| ParentMismatch := case {
    ProcessName = /(?i)^svchost\.exe$/ and !ParentBaseFileName = /(?i)^services\.exe$/ : "true" ;
    ProcessName = /(?i)^lsass\.exe$/ and !ParentBaseFileName = /(?i)^wininit\.exe$/ : "true" ;
    ProcessName = /(?i)^csrss\.exe$/ and !ParentBaseFileName = /(?i)^(smss|csrss)\.exe$/ : "true" ;
    ProcessName = /(?i)^services\.exe$/ and !ParentBaseFileName = /(?i)^wininit\.exe$/ : "true" ;
    * : "false"
  }
| groupBy([ComputerName, UserName, ImageFileName, ParentImageFileName, CommandLine, SHA256HashData], function=count(aid, as=EventCount))
| sort(EventCount, order=desc)
| select([ComputerName, UserName, ProcessName, ImageFileName, ParentBaseFileName, ParentImageFileName, ParentMismatch, CommandLine, SHA256HashData, EventCount])
high severity high confidence

CrowdStrike LogScale (Falcon) query detecting T1036.005 by identifying ProcessRollup2 events where known system process names execute outside System32/SysWOW64, with parent process relationship validation for high-value targets (svchost, lsass, csrss, services). Groups by host and process attributes for efficient analyst triage.

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2 events)Falcon Data Replicator (FDR)

Required Tables

#event_simpleName=ProcessRollup2

False Positives & Tuning

  • CrowdStrike Falcon sensor updates or self-healing processes that temporarily launch named child processes from non-standard sensor staging directories during version rollout
  • Application virtualization solutions (e.g., VMware ThinApp, Microsoft App-V) that encapsulate system process executables within virtual filesystem containers at non-standard paths
  • Custom IT operations scripts that spawn renamed copies of system executables in scratch directories for log collection or diagnostic data gathering purposes
Download portable Sigma rule (.yml)

Other platforms for T1036.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Execute svchost.exe from User Temp Directory

    Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\svchost.exe, ParentImage not services.exe. OriginalFileName=Cmd.Exe mismatch with current name svchost.exe.

  2. Test 2Masquerade as lsass.exe in AppData

    Expected signal: Sysmon Event ID 1: Process Create with Image=%APPDATA%\lsass.exe. Parent process will not be wininit.exe (ParentMismatch=TRUE).

  3. Test 3Masquerade Process Name on Linux

    Expected signal: Process creation event showing /tmp/kworker executing. On systems with auditd, SYSCALL execve event for /tmp/kworker. /proc/<PID>/exe will point to /tmp/kworker.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1036.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.006Space after FilenameT1036.007Double File ExtensionT1036.008Masquerade File TypeT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1574.001DLLT1574.002DLL Side-LoadingT1055Process Injection

Same Tactic: Defense Evasion

Popular Detections