Match Legitimate Name or Location
Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous. Adversaries may also use the same icon of the file they are trying to mimic.
Open detection, hunting, mitigation, and evidence workspace
Detection logic
Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect. If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection. In containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names. Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users.
Observed actors
G0119SideCopy
G1008Mustard Tempest
G1020Kimsuky
G0094admin@338
G0018Volt Typhoon
G1017Patchwork
G0040APT41
G0096menuPass
G0045APT32
G0050MuddyWater
G0069Naikon
G0019Gamaredon Group
G0047TeamTNT
G0139FIN7
G0046Sandworm Team
G0034Machete
G0095Sidewinder
G0121Mustang Panda
G0129Rocke
G0106APT39
G0087TA2541
G1018Carbanak
G0008Tropic Trooper
G0081Aquatic Panda
G0143Aoqin Dragon
G1007Ferocious Kitten
G0137Ke3chang
G0004APT1
G0006Blue Mockingbird
G0108Turla
G0010Poseidon Group
G0033RedCurl
G1039APT29
G0016Chimera
G0114BRONZE BUTLER
G0060TEMP.Veles
G0088BackdoorDiplomacy
G0135Darkhotel
G0012Ember Bear
G1003ToddyCat
G1022Whitefly
G0107LuminousMoth
G1014APT28
G0007APT5
G1023Fox Kitten
G0117Lazarus Group
G0032INC Ransom
G1032Earth Lusca
G1006Silence
G0091Sowbug
G0054Transparent Tribe
G0134PROMETHIUM
G0056WIRTE
G0090Magic Hound
G0059FIN13
G1016
Correlated CTI and IR reports
1200km CTI repository · explicit report mentionCTI Research: Sandworm / APT44
1200km CTI repository · explicit report mentionCTI Research: Sandworm / APT44
1200km CTI repository · explicit report mentionFrom Threat Intelligence to Detection: A Practitioner's Guide
1200km CTI repository · explicit report mentionOilRig (APT34 / Helix Kitten / Earth Simnavaz etc)
Israel Threat Actors CTI · explicit report mentionATT CK as a Working Tool Theory and Hands On Practical Usage
1200km Medium · authored report mentionCTI Research Sandworm APT44
1200km Medium · authored report mentionFrom Threat Intelligence to Detection A Practitioner s Guide
1200km Medium · authored report mention