cti/enterprise-attack/attack-pattern/attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c.json

{
    "type": "bundle",
    "id": "bundle--a311d6e5-ad33-4b74-adca-5ccaeb7f7e72",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "attack-pattern",
            "id": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
            "created": "2020-02-10T20:30:07.426Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T1036/004",
                    "external_id": "T1036.004"
                },
                {
                    "source_name": "Fysbis Dr Web Analysis",
                    "description": "Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.",
                    "url": "https://vms.drweb.com/virus/?i=4276269"
                },
                {
                    "source_name": "Palo Alto Shamoon Nov 2016",
                    "description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.",
                    "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"
                },
                {
                    "source_name": "Systemd Service Units",
                    "description": "Freedesktop.org. (n.d.). systemd.service \u2014 Service unit configuration. Retrieved March 16, 2020.",
                    "url": "https://www.freedesktop.org/software/systemd/man/systemd.service.html"
                },
                {
                    "source_name": "TechNet Schtasks",
                    "description": "Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016.",
                    "url": "https://technet.microsoft.com/en-us/library/bb490996.aspx"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2026-04-15T20:39:39.311Z",
            "name": "Masquerade Task or Service",
            "description": "Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.\n\nTasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "stealth"
                }
            ],
            "x_mitre_attack_spec_version": "3.3.0",
            "x_mitre_deprecated": false,
            "x_mitre_domains": [
                "enterprise-attack"
            ],
            "x_mitre_is_subtechnique": true,
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_platforms": [
                "Linux",
                "macOS",
                "Windows"
            ],
            "x_mitre_version": "2.0"
        }
    ]
}