Keypoints
- Masquerading hides malicious artifacts by changing names, locations, or metadata to look benign.
- Attackers use file name mismatches and PE metadata differences to conceal compiled binaries.
- Unicode tricks and trailing spaces can deceive users and bypass simple name-based defenses.
- Monitoring file hashes, locations, and modification timelines helps detect masquerading.
- Focus on command-line arguments and behavior instead of only filenames for better detection.
Description:
- Like a wolf in sheepβs clothing, masquerading makes harmful files or services look harmless so users and tools accept them without suspicion.
- Adversaries rename files, alter file metadata (like InternalName or OriginalFilename), place known names in unusual locations, or use deceptive characters to hide malicious intent; this enables persistence and evasion by blending malicious artifacts with legitimate system items, making detection and response harder.
Detection:
- Collect and compare file hashes against known-good baselines; flag files whose names donβt match expected hashes.
- Monitor file creation, modification, and location changes; alert on known system filenames appearing in uncommon directories.
- Extract PE metadata (InternalName, OriginalFilename, ProductName) and compare to on-disk filenames; flag mismatches for investigation.
- Capture process creation and command-line arguments; focus detection rules on suspicious args rather than only filenames.
- Inspect filenames for Unicode right-to-left override (U+202E), trailing spaces, and other deceptive characters; block or alert on their presence.
- Track service and scheduled job metadata and modifications; alert when legitimate service/task names are created or changed by unexpected accounts or installers.
- Use file-integrity tools, EDR, and SIEM correlation to combine file, process, and scheduled-job telemetry; tune rules to reduce false positives from legitimate renames or updates.
Tactics:
Defense Evasion
Platforms:
Containers, ESXi, Linux, Windows, macOS
Data Sources:
Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata, User Account: User Account Creation
Relationship Citations:
(Citation: FireEye APT10 Sept 2018),(Citation: Twitter ItsReallyNick Platinum Masquerade),(Citation: Secureworks BRONZE PRESIDENT December 2019),(Citation: NTT Security Flagpro new December 2021),(Citation: CISA AR21-126A FIVEHANDS May 2021),(Citation: Prevailion DarkWatchman 2021),(Citation: Volexity UPSTYLE 2024),(Citation: Ensilo Darkgate 2018),(Citation: Malwarebytes Pony April 2016),(Citation: Microsoft Deep Dive Solorigate January 2021),(Citation: Zscaler APT31 Covid-19 October 2020),(Citation: DFIR Conti Bazar Nov 2021),(Citation: Sygnia Elephant Beetle Jan 2022),(Citation: Mandiant FIN13 Aug 2022),(Citation: Cylance Dust Storm),(Citation: Malwarebytes Kimsuky June 2021),(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021),(Citation: Lumen KVBotnet 2023),(Citation: Google Election Threats October 2020),(Citation: Cyberreason Anchor December 2019),(Citation: Talos Bisonal Mar 2020),(Citation: ANSSI RYUK RANSOMWARE),(Citation: Microsoft March 2025 XCSSET),(Citation: Talos Nyetya June 2017),(Citation: McAfee Honeybee),(Citation: Unit42 Redaman January 2019),(Citation: IBM StrelaStealer 2024),(Citation: objective-see windtail1 dec 2018),(Citation: Cadet Blizzard emerges as novel threat actor),(Citation: Medium S2W WhisperGate January 2022),(Citation: Trend Micro Tick November 2019),(Citation: SentinelOne WinterVivern 2023),(Citation: Leonard TAG 2023),(Citation: SentinelOne NobleBaron June 2021),(Citation: rapid7-email-bombing),(Citation: Unit 42 TA551 Jan 2021),(Citation: Cisco Talos Intelligence Group),(Citation: Trend Micro DRBControl February 2020),(Citation: CrowdStrike StellarParticle January 2022),(Citation: BlackBerry Bahamut),(Citation: MSTIC Nobelium Toolset May 2021),(Citation: Cisco Talos Avos Jun 2022),(Citation: Symantec RAINDROP January 2021),(Citation: Unit42 Agrius 2023),(Citation: Check Point APT34 April 2021),(Citation: ESET Dukes October 2019),(Citation: Securelist Octopus Oct 2018),(Citation: MalwareBytes LazyScripter Feb 2021),(Citation: Cybereason Cobalt Kitty 2017),(Citation: Cisco ArcaneDoor 2024),(Citation: DHS CISA AA22-055A MuddyWater February 2022),(Citation: Eset Ramsay May 2020),(Citation: SentinelOne Lazarus macOS July 2020),(Citation: Secureworks DarkTortilla Aug 2022),(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ),(Citation: SentinelOne Aoqin Dragon June 2022),(Citation: Malwarebytes Saint Bot April 2021),(Citation: trendmicro xcsset xcode project 2020),(Citation: ClearSky Siamesekitten August 2021),(Citation: MSTIC FoggyWeb September 2021),
Read More: https://attack.mitre.org/techniques/T1036