Try it using Invoke-Atomic

Masquerading

Description from ATT&CK

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.(Citation: LOLBAS Main Site) Masquerading may also include the use of Proxy or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections.

Atomic Tests

Atomic Test #1 - System File Copied to Unusual Location

It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory.

Supported Platforms: windows

auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
4

copy-item "$env:windir\System32\cmd.exe" -destination "$env:allusersprofile\cmd.exe"
start-process "$env:allusersprofile\cmd.exe"
sleep -s 5 
stop-process -name "cmd" | out-null

Cleanup Commands:

1

remove-item "$env:allusersprofile\cmd.exe" -force -erroraction silentlycontinue

Atomic Test #2 - Malware Masquerading and Execution from Zip File

When the file is unzipped and the README.cmd file opened, it executes and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique as reported here

Supported Platforms: windows

auto_generated_guid: 4449c89b-ec82-43a4-89c1-91e2f1abeecc

Inputs:

Name Description Type Default Value
url Location of zip file url https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/T1036.zip

Attack Commands: Run with powershell!

1
2
3

Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" -DestinationPath "$env:userprofile\Downloads\T1036" -Force
cd "$env:userprofile\Downloads\T1036"
cmd /c "$env:userprofile\Downloads\T1036\README.cmd" >$null 2>$null

Cleanup Commands:

1
2

taskkill /IM Calculator.exe /f >$null 2>$null
Remove-Item "$env:userprofile\Downloads\T1036" -recurse -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Zip file must be present. Check Prereq Commands:

1
2

if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip") {exit 0} else {exit 1}

Get Prereq Commands:

1
2
3

New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
Invoke-WebRequest #{url} -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip"

source