Masquerading: Rename System Utilities

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. [1] It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). [2] An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. [3]

ID: T1036.003
Sub-technique of:  T1036
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Data Sources: Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Version: 1.0
Created: 10 February 2020
Last Modified: 10 February 2020

Procedure Examples

Name Description
APT32

APT32 has moved and renamed pubprn.vbs to a .txt file to avoid detection.[7]

CozyCar

The CozyCar dropper has masqueraded a copy of the infected system's rundll32.exe executable that was moved to the malware's install directory and renamed according to a predefined configuration file.[3]

menuPass

menuPass has renamed certutil and moved it to a different location on the system to avoid detection based on use of the tool.[8]

NotPetya

NotPetya drops PsExec with the filename dllhost.dat.[4]

PLATINUM

PLATINUM has renamed rar.exe to avoid detection.[5]

Soft Cell

Soft Cell used a renamed cmd.exe file to evade detection.[6]

Mitigations

Mitigation Description
Restrict File and Directory Permissions

Use file system access controls to protect folders such as C:\Windows\System32.

Detection

If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. [2] Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.[9]

References