Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.(Citation: LOLBAS Main Site)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| chronicle | Chronicle | technique_scores | T1036 | Masquerading |
Comments
Chronicle is able to trigger an alert based on Windows starting uncommon processes (e.g., Detects Winword starting uncommon sub process MicroScMgmt.exe used for CVE-2015-1641).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/process_creation/exploit_for_cve_2015_1641.yaral
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1036.001 | Invalid Code Signature | 1 |
| T1036.005 | Match Legitimate Name or Location | 1 |