Detecting masquerading
Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This might include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Even when security monitoring and control mechanisms for system utilities are in place, it might be possible to bypass those security mechanisms by renaming the utility prior to utilization. Alternatively, a legitimate utility can be copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths.
The detections linked here will help with this use case.
Data required
How to use Splunk software for this use case
- Execution of file with multiple extensions
- Sdelete application execution
- Suspicious MSBuild rename
- Suspicious microsoft workflow compiler rename
- Suspicious msbuild path
- System processes run from unexpected locations
- Windows DotNet binary in non-standard path
- Windows InstallUtil in non-standard path
- Windows LOLBAS executed as renamed file
- Windows LOLBAS executed outside expected path
Next steps
File integrity monitoring (FIM) can also assist in identifying masquerading. FIM can help you detect unauthorized changes made to files, directories, network devices, operating systems, and more. This can be accomplished by establishing a “baseline” for a file state and monitoring for changes made to that state. It’s a great way to quickly identify file discrepancies, modifications, and additions.
These additional Splunk resources might help you understand and implement this specific use case:
- Splunk Blog: SUPERNOVA Redux, with a Generous Portion of Masquerading
- MITRE Technique: Masquerading