security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1036/T1036.md
T
Atomic Red Team doc generator 5ede8f21e4 Generated docs from job=generate-docs branch=master [ci skip]
2025-02-13 22:03:40 +00:00

106 lines
3.2 KiB
Markdown
Raw Permalink Blame History

# T1036 - Masquerading
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036)
<blockquote>
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)
</blockquote>
## Atomic Tests
- [Atomic Test #1 - System File Copied to Unusual Location](#atomic-test-1---system-file-copied-to-unusual-location)
- [Atomic Test #2 - Malware Masquerading and Execution from Zip File](#atomic-test-2---malware-masquerading-and-execution-from-zip-file)
<br/>
## Atomic Test #1 - System File Copied to Unusual Location
It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory.
**Supported Platforms:** Windows
**auto_generated_guid:** 51005ac7-52e2-45e0-bdab-d17c6d4916cd
#### Attack Commands: Run with `powershell`!
```powershell
copy-item "$env:windir\System32\cmd.exe" -destination "$env:allusersprofile\cmd.exe"
start-process "$env:allusersprofile\cmd.exe"
sleep -s 5
stop-process -name "cmd" | out-null
```
#### Cleanup Commands:
```powershell
remove-item "$env:allusersprofile\cmd.exe" -force -erroraction silentlycontinue
```
<br/>
<br/>
## Atomic Test #2 - Malware Masquerading and Execution from Zip File
When the file is unzipped and the README.cmd file opened, it executes and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique [as reported here](https://twitter.com/ffforward/status/1481672378639912960)
**Supported Platforms:** Windows
**auto_generated_guid:** 4449c89b-ec82-43a4-89c1-91e2f1abeecc
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| url | Location of zip file | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/T1036.zip|
#### Attack Commands: Run with `powershell`!
```powershell
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" -DestinationPath "$env:userprofile\Downloads\T1036" -Force
cd "$env:userprofile\Downloads\T1036"
cmd /c "$env:userprofile\Downloads\T1036\README.cmd" >$null 2>$null
```
#### Cleanup Commands:
```powershell
taskkill /IM Calculator.exe /f >$null 2>$null
Remove-Item "$env:userprofile\Downloads\T1036" -recurse -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Zip file must be present.
##### Check Prereq Commands:
```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
Invoke-WebRequest #{url} -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip"
```
<br/>
Reference in New Issue View Git Blame Copy Permalink