T1036 Google Chronicle · YARA-L

Detect Masquerading in Google Chronicle

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Canonical reference
https://attack.mitre.org/techniques/T1036/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1036_masquerading_system_binary_wrong_path {
  meta:
    author = "df00tech"
    description = "Detects known Windows system binaries executing from non-standard file paths, indicative of masquerading (T1036)"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1036"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path != ""
    (
      re.regex($e.target.process.file.full_path, `(?i)\\svchost\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\csrss\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\lsass\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\services\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\smss\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\wininit\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\winlogon\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\explorer\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\spoolsv\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\taskhost\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\taskhostw\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\conhost\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\dllhost\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\RuntimeBroker\.exe$`)
    )
    not re.regex($e.target.process.file.full_path, `(?i)^[Cc]:\\[Ww]indows\\[Ss]ystem32\\`)
    not re.regex($e.target.process.file.full_path, `(?i)^[Cc]:\\[Ww]indows\\[Ss]ys[Ww][Oo][Ww]64\\`)
    not re.regex($e.target.process.file.full_path, `(?i)^[Cc]:\\[Ww]indows\\[Ww]in[Ss][Xx][Ss]\\`)
    not re.regex($e.target.process.file.full_path, `(?i)^[Cc]:\\[Ww]indows\\[Ee]xplorer\.exe$`)

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting Windows system process masquerading by identifying known system binary names executing from paths outside trusted Windows system directories.

Data Sources

Google Chronicle SIEMWindows Endpoint (via Chronicle Forwarder or EDR integration)

Required Tables

PROCESS_LAUNCH UDM events

False Positives & Tuning

  • Windows Subsystem for Linux (WSL) environments where Windows binaries may appear at non-standard Unix-style paths in normalized UDM logs
  • Endpoint detection and response tools that fork monitored processes and may log them with their own staging paths
  • Custom enterprise gold images where system binaries are pre-staged to alternative drive letters before sysprep completes
Download portable Sigma rule (.yml)

Other platforms for T1036

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Masquerade as svchost.exe from Temp Directory

    Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\svchost.exe, OriginalFileName=Cmd.Exe. Security Event ID 4688 with NewProcessName containing svchost.exe in a temp directory. Sysmon Event ID 11: FileCreate for svchost.exe in temp.

  2. Test 2Masquerade as lsass.exe from User Profile

    Expected signal: Sysmon Event ID 1: Process Create with Image=%APPDATA%\lsass.exe, OriginalFileName=NOTEPAD.EXE. The OriginalFileName mismatch is a key indicator.

  3. Test 3Masquerade as explorer.exe from Downloads

    Expected signal: Sysmon Event ID 1: Process Create with Image in Downloads folder, OriginalFileName mismatch. File creation event for explorer.exe in Downloads.

Last updated: 2026-04-16 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1036 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (12)

Related Techniques

T1036.001Invalid Code SignatureT1036.003Rename Legitimate UtilitiesT1036.005Match Legitimate Resource Name or LocationT1036.007Double File ExtensionT1036.008Masquerade File TypeT1574.001DLLT1218.011Rundll32T1027Obfuscated Files or Information

Same Tactic: Defense Evasion

Popular Detections