ID | Name |
---|---|
T1036.001 | Invalid Code Signature |
T1036.002 | Right-to-Left Override |
T1036.003 | Rename System Utilities |
T1036.004 | Masquerade Task or Service |
T1036.005 | Match Legitimate Name or Location |
T1036.006 | Space after Filename |
T1036.007 | Double File Extension |
Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
Adversaries may also use the same icon of the file they are trying to mimic.
ID | Name | Description |
---|---|---|
G0018 | admin@338 |
admin@338 actors used the following command to rename one of their tools to a benign file name: |
S0622 | AppleSeed |
AppleSeed has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity.[2] |
G0006 | APT1 |
The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware.[3][4] |
G0007 | APT28 |
APT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.[5] |
G0016 | APT29 |
APT29 renamed software and DLL's with legitimate names to appear benign.[6][7][8] |
G0050 | APT32 |
APT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe. [9][10] |
G0087 | APT39 |
APT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.[11][12] |
G0096 | APT41 |
APT41 attempted to masquerade their files as popular anti-virus software.[13][14] |
S0475 | BackConfig |
BackConfig has hidden malicious payloads in |
G0135 | BackdoorDiplomacy |
BackdoorDiplomacy has dropped implants in folders named for legitimate software.[16] |
S0606 | Bad Rabbit |
Bad Rabbit has masqueraded as a Flash Player installer through the executable file |
S0128 | BADNEWS |
BADNEWS attempts to hide its payloads using legitimate filenames.[19] |
S0534 | Bazar |
The Bazar loader has named malicious shortcuts "adobe" and mimicked communications software.[20][21][22] |
S0520 | BLINDINGCAN |
BLINDINGCAN has attempted to hide its payload by using legitimate file names such as "iconcache.db".[23] |
G0108 | Blue Mockingbird |
Blue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file.[24] |
G0060 | BRONZE BUTLER |
BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.[25] |
S0482 | Bundlore |
Bundlore has disguised a malicious .app file as a Flash Player update.[26] |
S0274 | Calisto |
Calisto's installation file is an unsigned DMG image under the guise of Intego’s security solution for mac.[27] |
G0008 | Carbanak |
Carbanak has named malware "svchost.exe," which is the name of the Windows shared service host program.[28] |
S0484 | Carberp |
Carberp has masqueraded as Windows system file names, as well as "chkntfs.exe" and "syscron.exe".[29][30] |
S0631 | Chaes |
Chaes has used an unsigned, crafted DLL module named |
S0144 | ChChes |
ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).[32] |
G0114 | Chimera |
Chimera has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe, RecordedTV.ms, teredo.tmp, update.exe, and msadcs1.exe.[33] |
S0625 | Cuba |
Cuba has been disguised as legitimate 360 Total Security Antivirus and OpenVPN programs.[34] |
S0334 | DarkComet |
DarkComet has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as a legitimate file.[35] |
G0012 | Darkhotel |
Darkhotel has used malware that is disguised as a Secure Shell (SSH) tool.[36] |
S0187 | Daserf |
Daserf uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.[37] |
S0600 | Doki | |
S0567 | Dtrack |
One of Dtrack can hide in replicas of legitimate programs like OllyDbg, 7-Zip, and FileZilla.[39] |
S0605 | EKANS |
EKANS has been disguised as |
S0081 | Elise |
If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.[41] |
S0171 | Felismus |
Felismus has masqueraded as legitimate Adobe Content Management System files.[42] |
G0137 | Ferocious Kitten |
Ferocious Kitten has named malicious files |
G0046 | FIN7 |
FIN7 has attempted to run Darkside ransomware with the filename sleep.exe.[44] |
S0182 | FinFisher |
FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.[45][46] |
G0117 | Fox Kitten |
Fox Kitten has named binaries and configuration files svhost and dllhost respectively to appear legitimate.[47] |
S0410 | Fysbis |
Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier.[48] |
S0493 | GoldenSpy |
GoldenSpy's setup file installs initial executables under the folder |
S0588 | GoldMax |
GoldMax appeared as a scheduled task impersonating systems management software within the corresponding ProgramData subfolder.[50] |
S0477 | Goopy |
Goopy has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe.[9] |
S0531 | Grandoreiro |
Grandoreiro has named malicious browser extensions and update files to appear legitimate.[51][52] |
S0070 | HTTPBrowser |
HTTPBrowser's installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.[53] |
G0119 | Indrik Spider |
Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.[54] |
S0259 | InnaputRAT |
InnaputRAT variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe.[55] |
S0260 | InvisiMole |
InvisiMole has disguised its droppers as legitimate software or documents, matching their original names and locations, and saved its files as mpr.dll in the Windows folder.[56][57] |
S0015 | Ixeshe |
Ixeshe has used registry values and file names associated with Adobe software, such as AcroRd32.exe.[58] |
S0526 | KGH_SPY | |
S0356 | KONNI |
KONNI creates a shortcut called "Anti virus service.lnk" in an apparent attempt to masquerade as a legitimate file.[60] |
G0032 | Lazarus Group |
Lazarus Group has renamed the TAINTEDSCRIBE main executable to disguise itself as Microsoft's narrator.[61] |
S0395 | LightNeuron |
LightNeuron has used filenames associated with Exchange and Outlook for binary and configuration files, such as |
S0582 | LookBack |
LookBack has a C2 proxy tool that masquerades as |
S0409 | Machete |
Machete renamed payloads to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python executables.[64][65] |
G0095 | Machete |
Machete's Machete MSI installer has masqueraded as a legitimate Adobe Acrobat Reader installer.[66] |
S0652 | MarkiRAT |
MarkiRAT can masquerade as |
S0500 | MCMD | |
S0459 | MechaFlounder |
MechaFlounder has been downloaded as a file named lsass.exe, which matches the legitimate Windows file.[68] |
G0045 | menuPass |
menuPass has been seen changing malicious files to appear legitimate.[69] |
S0455 | Metamorfo |
Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer and has masqueraded payloads as OneDrive, WhatsApp, or Spotify, for example.[70][71] |
S0084 | Mis-Type |
Mis-Type saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.[72][73] |
S0083 | Misdat |
Misdat saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.[72][73] |
G0069 | MuddyWater |
MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender.[74][75][76] |
G0129 | Mustang Panda |
Mustang Panda has used 'adobeupdate.dat' as a PlugX loader, and a file named 'OneDrive.exe' to load a Cobalt Strike payload.[77] |
G0019 | Naikon |
Naikon has disguised malicious programs as Google Chrome, Adobe, and VMware executables.[78] |
S0630 | Nebulae |
Nebulae uses functions named |
S0198 | NETWIRE |
NETWIRE has masqueraded as legitimate software including TeamViewer and macOS Finder.[79] |
S0353 | NOKKI |
NOKKI is written to %LOCALAPPDATA%\MicroSoft Updatea\svServiceUpdate.exe prior being executed in a new process in an apparent attempt to masquerade as a legitimate folder and file.[80] |
S0340 | Octopus |
Octopus has been disguised as legitimate programs, such as Java and Telegram Messenger.[81][82] |
S0138 | OLDBAIT |
OLDBAIT installs itself in |
S0402 | OSX/Shlayer |
OSX/Shlayer can masquerade as a Flash Player update.[84][85] |
S0072 | OwaAuth |
OwaAuth uses the filename owaauth.dll, which is a legitimate file that normally resides in |
G0040 | Patchwork |
Patchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as "Net Monitor."[87] They have also dropped QuasarRAT binaries as files named microsoft_network.exe and crome.exe.[88] |
S0587 | Penquin |
Penquin has mimicked the Cron binary to hide itself on compromised systems.[89] |
S0501 | PipeMon |
PipeMon modules are stored on disk with seemingly benign names including use of a file extension associated with a popular word processor.[90] |
S0453 | Pony |
Pony has used the Adobe Reader icon for the downloaded file to look more trustworthy.[91] |
G0033 | Poseidon Group |
Poseidon Group tools attempt to spoof anti-virus processes as a means of self-defense.[92] |
G0056 | PROMETHIUM |
PROMETHIUM has disguised malicious installer files by bundling them with legitimate software installers.[93][94] |
S0196 | PUNCHBUGGY |
PUNCHBUGGY mimics filenames from %SYSTEM%\System32 to hide DLLs in %WINDIR% and/or %TEMP%.[95][96] |
S0583 | Pysa |
Pysa has executed a malicious executable by naming it svchost.exe.[97] |
S0269 | QUADAGENT |
QUADAGENT used the PowerShell filenames |
S0565 | Raindrop |
Raindrop was installed under names that resembled legitimate Windows file and directory names.[99][100] |
S0629 | RainyDay |
RainyDay has used names to mimic legitimate software including "vmtoolsd.exe" to spoof Vmtools.[78] |
S0458 | Ramsay | |
S0495 | RDAT | |
S0125 | Remsec |
The Remsec loader implements itself with the name Security Support Provider, a legitimate Windows function. Various Remsec .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare. Remsec also disguised malicious modules using similar filenames as custom network encryption software on victims.[104][105] |
S0496 | REvil | |
G0106 | Rocke |
Rocke has used shell scripts which download mining executables and saves them with the filename "java".[107] |
S0446 | Ryuk |
Ryuk has constructed legitimate appearing installation folder paths by calling |
S0085 | S-Type |
S-Type may save itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.[72][73] |
G0034 | Sandworm Team |
Sandworm Team has avoided detection by naming a malicious binary explorer.exe.[109][110] |
S0445 | ShimRatReporter |
ShimRatReporter spoofed itself as |
S0589 | Sibot |
Sibot has downloaded a DLL to the |
G0121 | Sidewinder |
Sidewinder has named malicious files |
G0091 | Silence | |
S0468 | Skidmap |
Skidmap has created a fake |
S0533 | SLOTHFULMEDIA |
SLOTHFULMEDIA has mimicked the names of known executables, such as mediaplayer.exe.[115] |
G0054 | Sowbug |
Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory |
S0058 | SslMM |
To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an "Office Start," "Yahoo Talk," "MSN Gaming Z0ne," or "MSN Talk" shortcut.[117] |
S0188 | Starloader |
Starloader has masqueraded as legitimate software update packages such as Adobe Acrobat Reader and Intel.[116] |
S0491 | StrongPity |
StrongPity has been bundled with legitimate software installation files for disguise.[93] |
S0559 | SUNBURST |
SUNBURST created VBScripts that were named after existing services or folders to blend into legitimate activities.[100] |
S0562 | SUNSPOT |
SUNSPOT was identified on disk with a filename of |
S0578 | SUPERNOVA |
SUPERNOVA has masqueraded as a legitimate SolarWinds DLL.[119][120] |
S0586 | TAINTEDSCRIBE |
The TAINTEDSCRIBE main executable has disguised itself as Microsoft’s Narrator.[61] |
S0560 | TEARDROP |
TEARDROP files had names that resembled legitimate Window file and directory names.[121][100] |
G0088 | TEMP.Veles |
TEMP.Veles has renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.[122] |
S0595 | ThiefQuest |
ThiefQuest prepends a copy of itself to the beginning of an executable file while maintaining the name of the executable.[123][124] |
G0134 | Transparent Tribe |
Transparent Tribe can mimic legitimate Windows directories by using the same icons and names.[125] |
S0609 | TRITON |
TRITON disguised itself as the legitimate Triconex Trilog application.[126] |
G0081 | Tropic Trooper |
Tropic Trooper has hidden payloads in Flash directories and fake installer files.[127] |
S0386 | Ursnif |
Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.[128] |
S0136 | USBStealer |
USBStealer mimics a legitimate Russian program called USB Disk Security.[129] |
G0107 | Whitefly |
Whitefly has named the malicious DLL the same name as DLLs belonging to legitimate software from various security vendors.[130] |
S0141 | Winnti for Windows |
A Winnti for Windows implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.[131] |
S0086 | ZLib |
ZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules.[72] |
ID | Mitigation | Description |
---|---|---|
M1045 | Code Signing |
Require signed binaries and images. |
M1038 | Execution Prevention |
Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed. |
M1022 | Restrict File and Directory Permissions |
Use file system access controls to protect folders such as C:\Windows\System32. |
ID | Data Source | Data Component |
---|---|---|
DS0022 | File | File Metadata |
DS0007 | Image | Image Metadata |
DS0009 | Process | Process Metadata |
Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.
If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. [132] Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.[133]
In containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names.[134] Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users.