1. Home
  2. Techniques
  3. Enterprise
  4. Masquerading
  5. Rename System Utilities

Masquerading: Rename System Utilities

ID Name
T1036.001 Invalid Code Signature
T1036.002 Right-to-Left Override
T1036.003 Rename System Utilities
T1036.004 Masquerade Task or Service
T1036.005 Match Legitimate Name or Location
T1036.006 Space after Filename
T1036.007 Double File Extension
T1036.008 Masquerade File Type
T1036.009 Break Process Trees
T1036.010 Masquerade Account Name

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. [1] It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). [2] An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. [3]

ID: T1036.003
Sub-technique of:  T1036
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Version: 1.1
Created: 10 February 2020
Last Modified: 12 September 2024
Version Permalink

Procedure Examples

ID Name Description
G0050 APT32

APT32 has moved and renamed pubprn.vbs to a .txt file to avoid detection.[4]
S0046 CozyCar

The CozyCar dropper has masqueraded a copy of the infected system's rundll32.exe executable that was moved to the malware's install directory and renamed according to a predefined configuration file.[3]
G1034 Daggerfly

Daggerfly used a renamed version of rundll32.exe, such as "dbengin.exe" located in the ProgramData\Microsoft\PlayReady directory, to proxy malicious DLL execution.[5]
S1111 DarkGate

DarkGate executes a Windows Batch script during installation that creases a randomly-named directory in the C:\ root directory that copies and renames the legitimate Windows curl command to this new location.[6]
G0093 GALLIUM

GALLIUM used a renamed cmd.exe file to evade detection.[7]
S1020 Kevin

Kevin has renamed an image of cmd.exe with a random name followed by a .tmpl extension.[8]
G0032 Lazarus Group

Lazarus Group has renamed system utilities such as wscript.exe and mshta.exe.[9]
G0045 menuPass

menuPass has renamed certutil and moved it to a different location on the system to avoid detection based on use of the tool.[10]

Mitigations

ID Mitigation Description
M1022 Restrict File and Directory Permissions

Use file system access controls to protect folders such as C:\Windows\System32.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.
DS0022 File File Metadata

Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity.
File Modification

Monitor for changes made to files for unexpected modifications to file names that are mismatched between the file name on disk and that of the binary's PE metadata. This is a likely indicator that a binary was renamed after it was compiled.

Note: There are no standard Windows events for file modification. However, Event ID 4663 (An attempt was made to access an object) can be used to audit and alert on attempts to access system utility binaries; the "Accesses" field can be used to filter by type of access (e.g., MODIFY vs DELETE).

DS0009 Process Process Metadata

Monitor for file names that are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled.

References

  1. LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.
  2. Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.
  3. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  4. Carr, N.. (2017, December 26). Nick Carr Status Update APT32 pubprn. Retrieved September 12, 2024.
  5. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
  1. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
  2. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  3. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  4. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  5. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.