Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Techniques
  3. Enterprise
  4. Masquerading
  5. Rename Legitimate Utilities

Masquerading: Rename Legitimate Utilities

Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for legitimate utilities adversaries are capable of abusing, including both built-in binaries and tools such as PSExec, AutoHotKey, and IronPython.[1][2][3][4] It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: renamerundll32.exe).[5] An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths.[6]

ID: T1036.003
Sub-technique of: T1036
Platforms: Linux, Windows, macOS
Contributors: Matt Anderson, @‌nosecurething, Huntress
Version: 2.0
Created: 10 February 2020
Last Modified: 24 October 2025

Procedure Examples

IDNameDescription
G0050 APT32

APT32 has moved and renamed pubprn.vbs to a .txt file to avoid detection.[7]

G0082 APT38

APT38 has renamed system utilities, such asrundll32.exe andmshta.exe, to avoid detection.[8]

S0046 CozyCar

TheCozyCar dropper has masqueraded a copy of the infected system's rundll32.exe executable that was moved to the malware's install directory and renamed according to a predefined configuration file.[6]

G1034 Daggerfly

Daggerfly used a renamed version of rundll32.exe, such as "dbengin.exe" located in theProgramData\Microsoft\PlayReady directory, to proxy malicious DLL execution.[9]

S1111 DarkGate

DarkGate executes a Windows Batch script during installation that creases a randomly-named directory in theC:\ root directory that copies and renames the legitimate Windowscurl command to this new location.[10]

G0093 GALLIUM

GALLIUM used a renamed cmd.exe file to evade detection.[11]

S1020 Kevin

Kevin has renamed an image ofcmd.exe with a random name followed by a.tmpl extension.[12]

G0032 Lazarus Group

Lazarus Group has renamed system utilities such aswscript.exe andmshta.exe.[13]

G0045 menuPass

menuPass has renamedcertutil and moved it to a different location on the system to avoid detection based on use of the tool.[14]

S1183 StrelaStealer

StrelaStealer has used a renamed, legitimatemsinfo32.exe executable to sideload theStrelaStealer payload during initial installation.[15]

Mitigations

IDMitigationDescription
M1022 Restrict File and Directory Permissions

Use file system access controls to protect folders such asC:\Windows\System32.

Detection Strategy

IDNameAnalytic IDAnalytic Description
DET0005Renamed Legitimate Utility Execution with Metadata Mismatch and Suspicious PathAN0012

Execution of binaries where the on-disk filename does not match PE metadata such as OriginalFilename or InternalName. Often observed with renamed LOLBAS or system binaries like rundll32, powershell, or psexec.

AN0013

Execution of renamed or relocated native macOS utilities with uncommon names or non-default paths (e.g., renamedosascript,bash, orcurl).

AN0014

Execution of renamed common utilities (e.g.,bash,nc,python,sh) from atypical directories or with names intended to deceive defenders or EDRs.

References

  1. LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.
  2. Matthew Brennan. (2024, July 5). Snakes on a Domain: An Analysis of a Python Malware Loader. Retrieved April 3, 2025.
  3. The DFIR Report. (2023, February 6). Collect, Exfiltrate, Sleep, Repeat. Retrieved April 3, 2025.
  4. Splunk. (2025, February 24). Detection: Detect Renamed PSExec. Retrieved April 3, 2025.
  5. Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.
  6. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  7. Carr, N.. (2017, December 26). Nick Carr Status Update APT32 pubprn. Retrieved September 12, 2024.
  8. SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.
  1. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
  2. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
  3. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  4. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  5. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  6. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  7. DCSO CyTec Blog. (2022, November 8). #ShortAndMalicious: StrelaStealer aims for mail credentials. Retrieved December 31, 2024.
×
[8]ページ先頭
©2009-2026 Movatter.jp