Find sigma rule

Attack: Masquerading: Match Legitimate Name or Location

Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.

Adversaries may also use the same icon of the file they are trying to mimic.

MITRE

Tactic

defense-evasion

technique

T1036.005

Test : Execute a process from a directory masquerading as the current parent directory.

OS

macos
linux

Description:

Create and execute a process from a directory masquerading as the current parent directory (... instead of normal ..)

Executor

Sigma Rule

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test