Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous. Adversaries may also use the same icon of the file they are trying to mimic.
Create and execute a process from a directory masquerading as the current parent directory (1
...
1
..
Supported Platforms: macOS, Linux
auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
| Name | Description | Type | Default Value | |——|————-|——|—————| | test_message | Test message to echo out to the screen | string | Hello from the Atomic Red Team test T1036.005#1|
1
sh
1
2
3
mkdir $HOME/...
cp $(which sh) $HOME/...
$HOME/.../sh -c "echo #{test_message}"
1
2
rm -f $HOME/.../sh
rmdir $HOME/.../
Launch an executable that attempts to masquerade as a legitimate executable.
Supported Platforms: Windows
auto_generated_guid: 35eb8d16-9820-4423-a2a1-90c4f5edd9ca
| Name | Description | Type | Default Value | |——|————-|——|—————| | executable_filepath | File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility. | string | $Env:windir\Temp\svchost.exe|
1
powershell
1
2
3
4
5
6
7
8
9
Add-Type -TypeDefinition @'
public class Test {
public static void Main(string[] args) {
System.Console.WriteLine("tweet, tweet");
}
}
'@ -OutputAssembly "#{executable_filepath}"
Start-Process -FilePath "#{executable_filepath}"
1
Remove-Item -Path "#{executable_filepath}" -ErrorAction Ignore