Find sigma rule

Attack: Masquerading

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.(Citation: LOLBAS Main Site)

MITRE

Tactic

defense-evasion

technique

T1036

Test : System File Copied to Unusual Location

OS

windows

Description:

It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory.

Executor

powershell

Sigma Rule

proc_creation_win_susp_copy_system_dir.yml (id: fff9d2b7-e11c-4a69-93d3-40ef66189767)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test