In masquerading, adversaries leverage valid employee accounts to gain access to internal systems. As they collect credentials, they also deploy tools and techniques to maintain persistence and evade defenses. For example:
- Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.
- An attacker tries might try to use different version of a system command without overriding original, or they might try to avoid some detection running the process from a different folder.
- They might run executable or scripts from file paths in Windows that don't commonly host these.
- They might launch processes from files that have double extensions in the file name. This is typically done to obscure the "real" file extension and make it appear as though the file being accessed is a data file, as opposed to executable content.
Masquerade attacks can be triggered either by someone within the organization or by an outsider if the organization is connected to a public network. The amount of access masquerade attackers get depends on the level of authorization they've managed to attain. You want to be able to detect masquerading.
How to use Splunk software for this use case
To deploy this use case, you need Splunk Security Essentials (SSE), a free application with a security content library. The searches use macros that come packaged with the Splunk Security Essentials application.
- Suspicious Microsoft workflow compiler rename
- Suspicious msbuild rename
- System processes run from unexpected locations
- Suspicious msbuild path
- Attacker tools on endpoint
- Execution of file with multiple extensions
- Suspicious writes to Windows recycle bin
- Executables or script creation in suspicious path
File integrity monitoring (FIM) can also assist in identifying masquerading. FIM can help you detect unauthorized changes made to files, directories, network devices, operating systems, and more. This can be accomplished by establishing a “baseline” for a file state and monitoring for changes made to that state. It’s a great way to quickly identify file discrepancies, modifications, and additions.
These additional Splunk resources might help you understand and implement this specific use case: