T1036.005 Sumo Logic CSE · Sumo

Detect Match Legitimate Resource Name or Location in Sumo Logic CSE

Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.005 Match Legitimate Resource Name or Location
Canonical reference
https://attack.mitre.org/techniques/T1036/005/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| json field=_raw "EventID" as event_id nodrop
| json field=_raw "Image" as process_path nodrop
| json field=_raw "ParentImage" as parent_path nodrop
| json field=_raw "CommandLine" as command_line nodrop
| json field=_raw "User" as user nodrop
| json field=_raw "Hashes" as hashes nodrop
| where event_id = "1"
| parse regex field=process_path "(?:[^\\\\]+\\\\)*(?P<process_name>[^\\\\]+\.exe)$" nodrop
| parse regex field=parent_path "(?:[^\\\\]+\\\\)*(?P<parent_name>[^\\\\]+\.exe)$" nodrop
| where process_name in ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe", "wininit.exe", "conhost.exe", "dllhost.exe", "RuntimeBroker.exe", "msdtc.exe", "wuauclt.exe") (case insensitive)
| where !(process_path matches "C:\\Windows\\System32\\*") AND !(process_path matches "C:\\Windows\\SysWOW64\\*")
| if (process_name matches "(?i)svchost\.exe" and !(parent_name matches "(?i)services\.exe"), "TRUE", "FALSE") as parent_mismatch_svchost
| if (process_name matches "(?i)lsass\.exe" and !(parent_name matches "(?i)wininit\.exe"), "TRUE", "FALSE") as parent_mismatch_lsass
| if (process_name matches "(?i)csrss\.exe" and !(parent_name matches "(?i)smss\.exe"), "TRUE", "FALSE") as parent_mismatch_csrss
| if (parent_mismatch_svchost="TRUE" or parent_mismatch_lsass="TRUE" or parent_mismatch_csrss="TRUE", "TRUE", "FALSE") as any_parent_mismatch
| fields _messageTime, _collector, user, process_name, process_path, parent_name, parent_path, any_parent_mismatch, command_line, hashes
| sort by _messageTime desc
high severity high confidence

Sumo Logic CSE query detecting T1036.005 by identifying Windows system process names (svchost.exe, lsass.exe, csrss.exe, etc.) launched from non-standard paths outside System32/SysWOW64, with additional parent process relationship anomaly detection for high-value masqueraded processes.

Data Sources

Sumo Logic Windows Sysmon sourceSumo Logic Windows Security Event Log source

Required Tables

windows/sysmonwindows/security

False Positives & Tuning

  • Third-party endpoint management platforms (e.g., Tanium, BigFix) that shadow system process names in their working directories for health monitoring agents
  • Windows Subsystem for Linux (WSL) or containerized Windows environments where process paths may differ from standard host filesystem paths
  • Legitimate penetration testing or red team exercises using renamed process binaries during authorized engagements
Download portable Sigma rule (.yml)

Other platforms for T1036.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Execute svchost.exe from User Temp Directory

    Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\svchost.exe, ParentImage not services.exe. OriginalFileName=Cmd.Exe mismatch with current name svchost.exe.

  2. Test 2Masquerade as lsass.exe in AppData

    Expected signal: Sysmon Event ID 1: Process Create with Image=%APPDATA%\lsass.exe. Parent process will not be wininit.exe (ParentMismatch=TRUE).

  3. Test 3Masquerade Process Name on Linux

    Expected signal: Process creation event showing /tmp/kworker executing. On systems with auditd, SYSCALL execve event for /tmp/kworker. /proc/<PID>/exe will point to /tmp/kworker.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1036.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.006Space after FilenameT1036.007Double File ExtensionT1036.008Masquerade File TypeT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1574.001DLLT1574.002DLL Side-LoadingT1055Process Injection

Same Tactic: Defense Evasion

Popular Detections