In masquerading, adversaries leverage valid employee accounts to gain access to internal systems. As they collect credentials, they also deploy tools and techniques to maintain persistence and evade defenses. For example:
- Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.
- An attacker tries might try to use different version of a system command without overriding original, or they might try to avoid some detection running the process from a different folder.
- They might run executable or scripts from file paths in Windows that don't commonly host these.
- They might launch processes from files that have double extensions in the file name. This is typically done to obscure the "real" file extension and make it appear as though the file being accessed is a data file, as opposed to executable content.
Masquerade attacks can be triggered either by someone within the organization or by an outsider if the organization is connected to a public network. The amount of access masquerade attackers get depends on the level of authorization they've managed to attain. You want to be able to detect masquerading.
How to use Splunk software for this use case
To deploy this use case, make sure that you have the Splunk ES Content Updates installed on your Splunk Enterprise Security deployment. This extensive content library empowers you to deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture. If you do not have Splunk Enterprise Security, these detections will still give you an idea of what you can accomplish with SPL in the Splunk platform or with the free app, Splunk Security Essentials.
Some of the detections that can help you with this use case include:
- Execution of file with multiple extensions
- Sdelete application execution
- Suspicious MSBuild rename
- Suspicious microsoft workflow compiler rename
- Suspicious msbuild path
- System process running from unexpected location
- System processes run from unexpected locations (Sysmon)
- Windows DotNet binary in non-standard path
- Windows DotNet binary in non-standard path (Sysmon)
- Windows InstallUtil in non-standard path
File integrity monitoring (FIM) can also assist in identifying masquerading. FIM can help you detect unauthorized changes made to files, directories, network devices, operating systems, and more. This can be accomplished by establishing a “baseline” for a file state and monitoring for changes made to that state. It’s a great way to quickly identify file discrepancies, modifications, and additions.
These additional Splunk resources might help you understand and implement this specific use case:
- Blog: SUPERNOVA Redux, with a Generous Portion of Masquerading
- Blog: Detecting Supernova malware: SolarWinds continued
Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.