Masquerading
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.
Open detection, hunting, mitigation, and evidence workspace
Detection logic
Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect. If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE”.
Observed actors
G0094Dragonfly
G0035menuPass
G0045APT32
G0050TeamTNT
G0139Sandworm Team
G0034Mustang Panda
G0129ZIRCONIUM
G0128OilRig
G0049Winter Vivern
G1035APT29
G0016BRONZE BUTLER
G0060TA551
G0127Ember Bear
G1003LazyScripter
G0140Windshift
G0112Agrius
G1030APT28
G0007Lazarus Group
G0032PLATINUM
G0068FIN13
G1016Nomadic Octopus
G0133
Correlated CTI and IR reports
1200km CTI repository · explicit report mentionCTI Research: Kubernetes & Cloud-Native Threat Landscape
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionATT CK as a Working Tool Theory and Hands On Practical Usage
1200km Medium · authored report mentionCTI Research Kubernetes Cloud Native Threat Landscape
1200km Medium · authored report mentionCTI Research MuddyWater Seedworm Mango Sandstorm
1200km Medium · authored report mention