Find sigma rule

Attack: Masquerading: Match Legitimate Name or Location

Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.

Adversaries may also use the same icon of the file they are trying to mimic.

MITRE

Tactic

defense-evasion

technique

T1036.005

Test : Masquerade as a built-in system executable

OS

windows

Description:

Launch an executable that attempts to masquerade as a legitimate executable.

Executor

powershell

Sigma Rule

file_event_win_csharp_compile_artefact.yml (id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0)
proc_creation_win_csc_susp_dynamic_compilation.yml (id: dcaa3f04-70c3-427a-80b4-b870d73c94c4)
file_event_win_creation_system_file.yml (id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d)
proc_creation_win_susp_system_exe_anomaly.yml (id: e4a6b256-3e47-40fc-89d2-7a477edd6915)
proc_creation_win_svchost_uncommon_parent_process.yml (id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d)
file_event_win_net_cli_artefact.yml (id: e0b06658-7d1d-4cd3-bf15-03467507ff7c)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test