Detect Match Legitimate Resource Name or Location in Splunk
Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.005 Match Legitimate Resource Name or Location
- Canonical reference
- https://attack.mitre.org/techniques/T1036/005/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\svchost.exe" OR Image="*\\csrss.exe" OR Image="*\\lsass.exe" OR Image="*\\services.exe" OR Image="*\\smss.exe" OR Image="*\\wininit.exe" OR Image="*\\conhost.exe" OR Image="*\\dllhost.exe" OR Image="*\\RuntimeBroker.exe" OR Image="*\\msdtc.exe" OR Image="*\\wuauclt.exe")
NOT (Image="C:\\Windows\\System32\\*" OR Image="C:\\Windows\\SysWOW64\\*" OR Image="C:\\Windows\\explorer.exe")
| eval ProcessName=mvindex(split(Image, "\\"), -1)
| eval ParentName=mvindex(split(ParentImage, "\\"), -1)
| eval ParentMismatch=case(
lower(ProcessName)=="svchost.exe" AND lower(ParentName)!="services.exe", "TRUE",
lower(ProcessName)=="csrss.exe" AND lower(ParentName)!="smss.exe", "TRUE",
lower(ProcessName)=="lsass.exe" AND lower(ParentName)!="wininit.exe", "TRUE",
1==1, "FALSE")
| table _time, host, User, Image, ParentImage, ParentMismatch, CommandLine, Hashes
| sort - _timeDetects system binary names executing from non-standard paths with parent process validation using Sysmon Event ID 1. Checks that critical Windows processes have their expected parent processes, which is a strong indicator when combined with path mismatch.
Data Sources
Required Sourcetypes
False Positives & Tuning
- VMware Tools running from non-default install locations
- Application compatibility fixes that redirect binary execution paths
- Windows Feature on Demand creating system binary copies in temporary locations
Other platforms for T1036.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Execute svchost.exe from User Temp Directory
Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\svchost.exe, ParentImage not services.exe. OriginalFileName=Cmd.Exe mismatch with current name svchost.exe.
- Test 2Masquerade as lsass.exe in AppData
Expected signal: Sysmon Event ID 1: Process Create with Image=%APPDATA%\lsass.exe. Parent process will not be wininit.exe (ParentMismatch=TRUE).
- Test 3Masquerade Process Name on Linux
Expected signal: Process creation event showing /tmp/kworker executing. On systems with auditd, SYSCALL execve event for /tmp/kworker. /proc/<PID>/exe will point to /tmp/kworker.
References (6)
- https://attack.mitre.org/techniques/T1036/005/
- https://www.elastic.co/blog/how-hunt-masquerade-ball
- https://www.aquasec.com/blog/leveraging-kubernetes-rbac-to-backdoor-clusters/
- https://x.com/ItsReallyNick/status/1055321652777619457
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md
- https://docs.docker.com/engine/reference/commandline/images/
Unlock Pro Content
Get the full detection package for T1036.005 including response playbook, investigation guide, and atomic red team tests.