Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones. Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)
Atomic Test #1 - Creating W32Time similar named service using schtasks
Atomic Test #2 - Creating W32Time similar named service using sc
Creating W32Time similar named service (win32times) using schtasks just like threat actor dubbed “Operation Wocao”
Supported Platforms: Windows
auto_generated_guid: f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9
1
command_prompt
! Elevation Required (e.g. root or admin)schtasks /create /ru system /sc daily /tr "cmd /c powershell.exe -ep bypass -file c:\T1036.004_NonExistingScript.ps1" /tn win32times /f
schtasks /query /tn win32times
schtasks /tn win32times /delete /f
Creating W32Time similar named service (win32times) using sc just like threat actor dubbed “Operation Wocao”
Supported Platforms: Windows
auto_generated_guid: b721c6ef-472c-4263-a0d9-37f1f4ecff66
1
command_prompt
! Elevation Required (e.g. root or admin)sc create win32times binPath= "cmd /c start c:\T1036.004_NonExistingScript.ps1"
sc qc win32times
sc delete win32times
Runs a C program that calls prctl(PR_SET_NAME) to modify /proc/pid/comm value to “totally_legit”. This will show up as process name in simple ‘ps’ listings.
Supported Platforms: Linux
auto_generated_guid: f0e3aaea-5cd9-4db6-a077-631dd19b27a8
| Name | Description | Type | Default Value | |——|————-|——|—————| | exe_path | Output Binary Path | path | /tmp/T1036_004_prctl_rename|
1
sh
!1
2
3
4
#{exe_path} & ps
TMP=`ps | grep totally_legit`
if [ -z "${TMP}" ] ; then echo "renamed process NOT FOUND in process list" && exit 1; fi
exit 0
1
rm -f #{exe_path}
1
sh
!1
stat #{exe_path}
1
cc -o #{exe_path} PathToAtomicsFolder/T1036.004/src/prctl_rename.c