|T1036.001||Invalid Code Signature|
|T1036.003||Rename System Utilities|
|T1036.004||Masquerade Task or Service|
|T1036.005||Match Legitimate Name or Location|
|T1036.006||Space after Filename|
|T1036.007||Double File Extension|
|T1036.008||Masquerade File Type|
|T1036.009||Break Process Trees|
Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description. Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.
APT32 has used hidden or non-printing characters to help masquerade service names, such as appending a Unicode no-break space character to a legitimate service name. APT32 has also impersonated the legitimate Flash installer file name "install_flashplayer.exe".
DEADEYE has used
|S0343||Exaramel for Windows|
OSX_OCEANLOTUS.D uses file naming conventions with associated executable locations to blend in with the macOS TimeMachine and OpenSSL services. Such as, naming a LaunchAgent plist file
New services created by RawPOS are made to appear like legitimate Windows services, with names such as "Windows Management Help Service", "Microsoft Support", and "Windows Advanced Task Manager".
Shamoon creates a new service named "ntssrv" that attempts to appear legitimate; the service's display name is "Microsoft Network Realtime Inspection Service" and its description is "Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols." Newer versions create the "MaintenaceSrv" service, which misspells the word "maintenance."
Some Volgmer variants add new services with display names generated by a list of hard-coded strings such as Application, Background, Security, and Windows, presumably as a way to masquerade as a legitimate service.
Wizard Spider has used scheduled tasks to install TrickBot, using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf. It has also used common document file names for other malware binaries.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments that may attempt to manipulate the name of a task or service to make it appear legitimate or benign.
|DS0003||Scheduled Job||Scheduled Job Metadata||
Monitor for contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.
|Scheduled Job Modification||
Monitor for changes made to scheduled jobs for unexpected modifications to execution launch
Monitor for newly constructed services/daemons. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
Monitor for changes made to services for unexpected modifications to names, descriptions, and/or start types