Skip to main content
Splunk Lantern

Detecting masquerading

Scenario: In some cyber attacks, adversaries leverage valid employee accounts to gain access to internal systems. As they collect credentials, they also deploy tools to maintain persistence and evade defenses. A common tool that certain adversaries use is procdump.exe. Procdump.exe is a Microsoft command line utility that is used to monitor applications and can create crash dumps. Adversaries use procdump to dump credentials. To obfuscate the existence of procdump.exe on a server, the adversary renames their copies of procdump.exe to something that appears legitimate. This technique is known as masquerading and is fairly common with certain utilities because the existence of that utility on certain systems may trigger alarms for organizations. You want to be able to detect this technique.

Prerequisites

To succeed in implementing this use case, you need the following dependencies, resources, and information.

  • People: Threat hunter
  • Technologies: 
    • Splunk Enterprise or Splunk Cloud Platform
    • Sysmon
  • Data: Endpoint data

How to use Splunk software for this use case

Depending on what information you have available, you might find it useful to identify some or all of the following: 

Results

File integrity monitoring (FIM) can also assist in identifying masquerading. FIM can help you detect unauthorized changes made to files, directories, network devices, operating systems, and more. This can be accomplished by establishing a “baseline” for a file state and monitoring for changes made to that state. It’s a great way to quickly identify file discrepancies, modifications, and additions.

Additional resources

The content in this use case comes from a previously published blog, one of the thousands of Splunk resources available to help users succeed. These additional Splunk resources might help you understand and implement this specific use case: