Detect Match Legitimate Resource Name or Location in IBM QRadar
Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.005 Match Legitimate Resource Name or Location
- Canonical reference
- https://attack.mitre.org/techniques/T1036/005/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
username,
"Process Name",
"Process Path",
"Parent Process Name",
"Command",
sourceip
FROM events
WHERE
LOGSOURCETYPEID(logsourceid) IN (382, 399)
AND QIDNAME(qid) ILIKE '%process create%'
AND (
"Process Name" ILIKE 'svchost.exe'
OR "Process Name" ILIKE 'csrss.exe'
OR "Process Name" ILIKE 'lsass.exe'
OR "Process Name" ILIKE 'services.exe'
OR "Process Name" ILIKE 'smss.exe'
OR "Process Name" ILIKE 'wininit.exe'
OR "Process Name" ILIKE 'conhost.exe'
OR "Process Name" ILIKE 'dllhost.exe'
OR "Process Name" ILIKE 'RuntimeBroker.exe'
OR "Process Name" ILIKE 'msdtc.exe'
OR "Process Name" ILIKE 'wuauclt.exe'
)
AND NOT (
"Process Path" ILIKE 'C:\Windows\System32\%'
OR "Process Path" ILIKE 'C:\Windows\SysWOW64\%'
)
LAST 24 HOURS
ORDER BY starttime DESCIdentifies Windows system process names executing from outside their expected System32 or SysWOW64 directories using QRadar AQL against Sysmon (LOGSOURCETYPEID 382) and Windows Security event sources. Flags masquerading attempts where adversaries copy or rename system executables to non-standard paths.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software installers that temporarily extract and run system process copies during upgrade workflows before moving them to their final destination
- Forensic or IR tools that stage process binaries in analysis directories and execute them for hash comparison or metadata extraction
- Custom enterprise monitoring agents that launch named child processes matching system process names for internal categorization or legacy compatibility
Other platforms for T1036.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Execute svchost.exe from User Temp Directory
Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\svchost.exe, ParentImage not services.exe. OriginalFileName=Cmd.Exe mismatch with current name svchost.exe.
- Test 2Masquerade as lsass.exe in AppData
Expected signal: Sysmon Event ID 1: Process Create with Image=%APPDATA%\lsass.exe. Parent process will not be wininit.exe (ParentMismatch=TRUE).
- Test 3Masquerade Process Name on Linux
Expected signal: Process creation event showing /tmp/kworker executing. On systems with auditd, SYSCALL execve event for /tmp/kworker. /proc/<PID>/exe will point to /tmp/kworker.
References (6)
- https://attack.mitre.org/techniques/T1036/005/
- https://www.elastic.co/blog/how-hunt-masquerade-ball
- https://www.aquasec.com/blog/leveraging-kubernetes-rbac-to-backdoor-clusters/
- https://x.com/ItsReallyNick/status/1055321652777619457
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md
- https://docs.docker.com/engine/reference/commandline/images/
Unlock Pro Content
Get the full detection package for T1036.005 including response playbook, investigation guide, and atomic red team tests.