1. Home
  2. Detection Strategies
  3. Detection of Masqueraded Tasks or Services with Suspicious Naming and Execution

Detection of Masqueraded Tasks or Services with Suspicious Naming and Execution

Technique Detected:  Masquerade Task or Service | T1036.004

ID: DET0117
Domains: Enterprise
Analytics: AN0324, AN0325, AN0326
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0324

Creation or modification of Windows services or scheduled tasks with names or descriptions mimicking legitimate entries, followed by anomalous execution of untrusted binaries or LOLBAS.

Log Sources
Data Component Name Channel
Service Creation (DC0060) WinEventLog:System EventCode=7045
Scheduled Job Creation (DC0001) WinEventLog:Security EventCode=4698
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
TaskNameSimilarityThreshold Similarity threshold for comparing new task/service names to known legitimate names (e.g., Levenshtein distance)
BinaryReputationScore Confidence level required for allowing a binary, often from unsigned or untrusted source
ExecutionContext Whether the execution came from SYSTEM, service accounts, or user contexts

AN0325

Creation or modification of systemd service units or cron jobs using deceptive naming and untrusted command paths, often followed by lateral network activity or privilege escalation.

Log Sources
Data Component Name Channel
Scheduled Job Modification (DC0012) auditd:CONFIG_CHANGE /var/log/audit/audit.log
Service Metadata (DC0041) linux:osquery scheduled/real-time
Scheduled Job Metadata (DC0005) linux:cron /var/log/syslog or journalctl
Mutable Elements
Field Description
UnitFilePath Unusual or user-space paths for systemd unit files
ServiceNameDeviation Detect units with names similar to legitimate ones (e.g., `networks.service` instead of `network.service`)
ExecStartPath Track uncommon or suspicious binaries in `ExecStart=` directives

AN0326

Creation of LaunchAgents or LaunchDaemons with names resembling known system services but executing non-Apple signed code or scripts.

Log Sources
Data Component Name Channel
Scheduled Job Metadata (DC0005) fs:fileevents /Library/LaunchDaemons/*.plist, ~/Library/LaunchAgents/*.plist
Process Creation (DC0032) macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_EXEC
Service Metadata (DC0041) macos:unifiedlog subsystem=com.apple.launchservices
Mutable Elements
Field Description
PlistLabelSimilarity Detect plists with labels that closely resemble legitimate ones (e.g., `com.apple.updates.plist`)
UnsignedBinaryExecution Toggle sensitivity for unsigned binaries or scripts launched by daemons
UserContext Scope detection based on whether LaunchAgent ran in user or system context