Match Legitimate Name or Location

Information

• Name: Match Legitimate Name or Location

• ID: T1036.005

• Tactics: TA0005

• Technique: T1036

Introduction

Match Legitimate Name or Location (T1036.005) is a sub-technique within the MITRE ATT&CK framework under the parent technique "Masquerading" (T1036). This technique involves adversaries disguising malicious artifacts, processes, or activities by using legitimate names or locations. Attackers leverage this method to blend in with normal system operations, evade detection, and maintain persistence within compromised environments.

Deep Dive Into Technique

Attackers employing the Match Legitimate Name or Location sub-technique typically rename malicious executables, scripts, or payloads to match legitimate system files or commonly used software. The primary goal is to bypass detection mechanisms that rely on filename or path-based analysis. Technical execution methods include:

• Renaming malicious executable files to match legitimate system processes (e.g., "svchost.exe", "explorer.exe", "services.exe").

• Placing malicious files within directories commonly associated with legitimate system or application files (e.g., "C:\Windows\System32", "C:\Program Files").

• Using legitimate file extensions (e.g., ".dll", ".exe", ".sys") to further disguise malicious payloads.

• Mimicking legitimate naming conventions, including capitalization, spacing, and version numbering, to appear authentic.

• Utilizing environment-specific naming conventions, such as vendor-specific naming patterns or internal software naming conventions, to increase believability.

Real-world procedures often involve attackers analyzing the targeted environment to identify legitimate filenames or directories that are less likely to attract attention. They may also leverage scripting or automated tools to quickly rename and deploy malicious payloads into legitimate-looking locations.

When this Technique is Usually Used

This sub-technique is commonly employed during multiple stages of the attack lifecycle, including:

• Initial Access and Execution:

  • Attackers may disguise initial payloads as legitimate installers, updates, or software packages.

  • Phishing campaigns often use attachments or links named similarly to legitimate documents or software installers.

• Defense Evasion:

  • Renaming malicious binaries to match legitimate system binaries to evade antivirus and endpoint detection and response (EDR) tools.

  • Placing malicious payloads into legitimate directories to bypass path-based detection rules.

• Persistence and Privilege Escalation:

  • Creating malicious scheduled tasks or services that mimic legitimate system tasks or services.

  • Establishing persistent backdoors using legitimate-looking filenames and locations to blend into normal system operations.

• Lateral Movement:

  • Attackers may rename malicious tools or scripts to match legitimate administrative utilities (e.g., "PsExec.exe", "wmic.exe") to move laterally without raising suspicion.

How this Technique is Usually Detected

Effective detection of Match Legitimate Name or Location sub-technique involves a combination of behavioral analysis, integrity monitoring, and anomaly detection. Methods and tools include:

• File Integrity Monitoring (FIM):

  • Regularly monitoring critical system directories (e.g., "System32", "Program Files") for file additions, modifications, or deletions.

  • Detecting unexpected files appearing in sensitive directories.

• Process Monitoring and Behavioral Analysis:

  • Using endpoint security solutions to detect unusual process behaviors, such as abnormal parent-child process relationships or suspicious process execution paths.

  • Identifying processes running from unusual or unexpected locations, even if filenames appear legitimate.

• Anomaly Detection:

  • Implementing machine learning or statistical anomaly detection to identify deviations from established baseline behaviors or file system states.

  • Alerting on processes executing from uncommon directories or filenames that slightly differ from legitimate files.

• Endpoint Detection and Response (EDR) Tools:

  • Leveraging EDR capabilities to detect suspicious activities, such as file renaming or unexpected file creations in sensitive directories.

  • Monitoring command-line arguments and process creation events for indicators of malicious intent.

Indicators of Compromise (IoCs):

• Executables or scripts placed in unusual directories that mimic legitimate system binaries.

• Slight filename variations or misspellings of legitimate system files (e.g., "svhost.exe" instead of "svchost.exe").

• Unexpected scheduled tasks or services running from legitimate-looking filenames or directories.

• Abnormal file hashes or signatures associated with known malicious payloads.

Why it is Important to Detect This Technique

Detecting the Match Legitimate Name or Location sub-technique early is crucial due to several potential impacts:

• Stealth and Persistence:

  • Attackers leveraging this technique can maintain prolonged and stealthy access, complicating remediation efforts.

  • Malicious payloads disguised as legitimate files can evade traditional antivirus and file-based security controls.

• Privilege Escalation and Lateral Movement:

  • Malicious processes masquerading as legitimate system utilities may facilitate privilege escalation or lateral movement, significantly increasing the scope and severity of compromise.

• Data Exfiltration and Damage:

  • Attackers can use disguised malicious processes to exfiltrate sensitive data, deploy ransomware, or cause system disruptions without immediate detection.

  • Delayed detection increases the risk of significant data loss, financial impacts, and reputational damage.

• Incident Response Complexity:

  • Identifying and remediating malicious files becomes more challenging when attackers employ legitimate filenames or directories, prolonging response times and increasing incident response costs.

Early identification and mitigation of this technique significantly reduce attacker dwell time, limit potential damage, and improve overall security posture.

Examples

Real-world examples of attackers employing Match Legitimate Name or Location include:

• APT29 (Cozy Bear):

  • Known to rename malicious payloads to mimic legitimate Windows system binaries, such as "svchost.exe" or "explorer.exe", placing them in legitimate directories to evade detection.

  • Successfully leveraged masquerading techniques in targeted attacks against government and diplomatic organizations.

• FIN7:

  • Frequently disguised malicious scripts and binaries as legitimate administrative tools or software updates, placing them in standard application directories.

  • Used this method to maintain persistent access and avoid detection during attacks on financial institutions and retail sectors.

• TrickBot Malware:

  • Employed filenames resembling legitimate Windows utilities, such as "taskhost.exe" or "winlogon.exe", to evade endpoint security solutions.

  • Leveraged legitimate-looking filenames and directories to establish persistence and deliver secondary payloads, including ransomware.

• Emotet Malware:

  • Distributed via phishing emails containing malicious attachments named similarly to legitimate invoices, shipping notices, or financial documents.

  • Leveraged legitimate naming conventions and file extensions to increase the likelihood of successful execution by unsuspecting users.

These examples highlight the importance of vigilance and robust detection capabilities to identify malicious artifacts masquerading as legitimate system components, minimizing the risk and impact of successful attacks.