Detect Masquerading in Elastic Security
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Canonical reference
- https://attack.mitre.org/techniques/T1036/
Elastic Detection Query
process where event.type == "start" and
process.name in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe", "wininit.exe", "winlogon.exe", "explorer.exe", "spoolsv.exe", "taskhost.exe", "taskhostw.exe", "conhost.exe", "dllhost.exe", "RuntimeBroker.exe") and
not process.executable like~ ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Windows\\explorer.exe", "C:\\Windows\\winsxs\\*")Detects known Windows system binaries executing from non-standard paths, a classic masquerading technique where adversaries copy or rename legitimate executables to evade process-based defenses.
Data Sources
Required Tables
False Positives & Tuning
- Software deployment tools or application virtualization platforms (e.g., Citrix, VMware ThinApp) that stage system binaries in application-specific directories
- Security testing frameworks or EDR simulation tools that spawn processes from temp directories during evaluation
- Custom Windows images or WinPE environments where system binaries reside in non-standard mount paths during imaging workflows
Other platforms for T1036
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Masquerade as svchost.exe from Temp Directory
Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\svchost.exe, OriginalFileName=Cmd.Exe. Security Event ID 4688 with NewProcessName containing svchost.exe in a temp directory. Sysmon Event ID 11: FileCreate for svchost.exe in temp.
- Test 2Masquerade as lsass.exe from User Profile
Expected signal: Sysmon Event ID 1: Process Create with Image=%APPDATA%\lsass.exe, OriginalFileName=NOTEPAD.EXE. The OriginalFileName mismatch is a key indicator.
- Test 3Masquerade as explorer.exe from Downloads
Expected signal: Sysmon Event ID 1: Process Create with Image in Downloads folder, OriginalFileName mismatch. File creation event for explorer.exe in Downloads.
References (7)
- https://attack.mitre.org/techniques/T1036/
- https://www.elastic.co/blog/how-hunt-masquerade-ball
- https://lolbas-project.github.io/
- https://x.com/ItsReallyNick/status/1055321652777619457
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1036 including response playbook, investigation guide, and atomic red team tests.
Related Detections
Sub-techniques (12)
- T1036.001Invalid Code Signature
- T1036.002Right-to-Left Override
- T1036.003Rename Legitimate Utilities
- T1036.004Masquerade Task or Service
- T1036.005Match Legitimate Resource Name or Location
- T1036.006Space after Filename
- T1036.007Double File Extension
- T1036.008Masquerade File Type
- T1036.009Break Process Trees
- T1036.010Masquerade Account Name
- T1036.011Overwrite Process Arguments
- T1036.012Browser Fingerprint