T1036.005
Masquerading: Match Legitimate Name or Location
Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation.
This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023)
Atomic Tests
Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory
Create and execute a process from a directory masquerading as the current parent directory (... instead of normal ..)
Supported Platforms: macOS, Linux
auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| test_message | Test message to echo out to the screen | string | Hello from the Atomic Red Team test T1036.005#1 |
Attack Commands: Run with sh!
mkdir $HOME/...
cp $(which sh) $HOME/...
$HOME/.../sh -c "echo #{test_message}"Cleanup Commands:
rm -f $HOME/.../sh
rmdir $HOME/.../Atomic Test #2 - Masquerade as a built-in system executable
Launch an executable that attempts to masquerade as a legitimate executable.
Supported Platforms: Windows
auto_generated_guid: 35eb8d16-9820-4423-a2a1-90c4f5edd9ca
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| executable_filepath | File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility. | string | $Env:windir\Temp\svchost.exe |
Attack Commands: Run with powershell!
Add-Type -TypeDefinition @'
public class Test {
public static void Main(string[] args) {
System.Console.WriteLine("tweet, tweet");
}
}
'@ -OutputAssembly "#{executable_filepath}"
Start-Process -FilePath "#{executable_filepath}"Cleanup Commands:
Remove-Item -Path "#{executable_filepath}" -ErrorAction IgnoreAtomic Test #3 - Masquerading cmd.exe as VEDetector.exe
This test simulates an adversary renaming cmd.exe to VEDetector.exe to masquerade as a legitimate application. The test copies cmd.exe, renames it to VEDetector.exe, adds a registry run key for persistence, and executes the renamed binary. This technique may be used to evade detection by mimicking legitimate software names or locations.
Expected Output:
- A new process named VEDetector.exe appears in the process list, but its behavior matches cmd.exe.
- SIEM/EDR systems may detect this as suspicious process activity (e.g., Sysmon Event ID 1 for process creation, or Event ID 13 for registry modifications).
- Registry modification in HKLM:\Software\Microsoft\Windows\CurrentVersion\Run may trigger persistence alerts in XDR platforms.
References:
Supported Platforms: Windows
auto_generated_guid: 03ae82a6-9fa0-465b-91df-124d8ca5c4e8
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| ved_path | Directory path where VEDetector.exe will be created | Path | $env:TEMP |
| source_file | Path to the source cmd.exe file | Path | $env:SystemRoot\System32\cmd.exe |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
# Copy and rename cmd.exe to VEDetector.exe
Copy-Item -Path "#{source_file}" -Destination "#{ved_path}\VEDetector.exe" -Force
# Create registry run key for persistence
New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -Value "#{ved_path}\VEDetector.exe" -PropertyType String -Force
# Start the renamed process
Start-Process -FilePath "#{ved_path}\VEDetector.exe"
Start-Sleep -Seconds 5Cleanup Commands:
# Remove registry key
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -ErrorAction SilentlyContinue
# Stop the process
Stop-Process -Name "VEDetector" -Force -ErrorAction SilentlyContinue
# Remove the file
Remove-Item -Path "#{ved_path}\VEDetector.exe" -Force -ErrorAction SilentlyContinue
Write-Host "[+] Cleaned up VEDetector artifacts"Dependencies: Run with powershell!
Description: The source cmd.exe file must exist on the system.
Check Prereq Commands:
if (Test-Path "#{source_file}") { exit 0 } else { exit 1 }Get Prereq Commands:
Write-Host "[-] Source file not found: #{source_file}. Ensure cmd.exe exists in the specified path."
exit 1