Masquerading T1036

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Events covered

26 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
SysmonEvent ID 5Process terminated
SysmonEvent ID 6Driver loaded
SysmonEvent ID 7Image loaded
SysmonEvent ID 11FileCreate
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 29FileExecutableDetected
Security-AuditingEvent ID 4663An attempt was made to access an object.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4689A process has exited.
Security-AuditingEvent ID 4720A user account was created.
Security-AuditingEvent ID 4768A Kerberos authentication ticket (TGT) was requested.
Security-AuditingEvent ID 4781The name of an account was changed.
Security-AuditingEvent ID 4799A security-enabled local group membership was enumerated.
Security-AuditingEvent ID 5058Key file operation.
Security-AuditingEvent ID 5059Key migration operation.
Security-AuditingEvent ID 5156The Windows Filtering Platform has permitted a connection.
Security-AuditingEvent ID 5379Credential Manager credentials were read.
Defender-DeviceProcessEventsanyProcess activity (any)
Defender-DeviceProcessEventsProcessCreatedProcess created
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
Windows-DefenderEvent ID 1119ProductName has encountered a critical error when taking action on malware or other potentially unwanted software.
PowerShellEvent ID 400Event ID 400
Service-Control-ManagerEvent ID 7045A service was installed in the system.

Authoring guide

Patterns shared across the 202 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (81 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image79ends_with 62, contains 12, starts_with 7, wildcard 6, eq 5, ne 2, in 1, is_null 1\cmd.exe, \bitsadmin.exe, \cscript.exe, \powershell.exe, \schtasks.exe
CommandLine66contains 44, regex_match 15, ends_with 6, in 6, match 3, ne 2, eq 1, is_null 1, starts_with 1 /create , /addfile , /transfer , cp , (?i)(copy-item|copy|xcopy|cp|cpi|robocopy)\s+.+(\x5c(syst...
OriginalFileName49eq 46, contains 1, in 1, ne 1, wildcard 1bitsadmin.exe, msbuild.exe, msdt.exe, schtasks.exe, xcopy.exe
process_name47eq 26, match 6, regex_match 6, ne 5, in 2, wildcard 2, contains 1, ends_with 1cmd.exe, powershell.exe, (?i)(\x5c\$recycle\.bin\x5c|\x5cconfig\x5csystemprofile\x..., (?i)\s+\x5c, (?i)\x5csystem32\x5c(lsass|services)\.exe
EventID36eq 364688, 1, 4103, 4104, 11
event.type36eq 36, ne 1start, creation, deletion
parent_process_name20eq 9, is_not_null 4, match 3, regex_match 2, in 1, ne 1(?i)\s+\x5c, (?i)lsass\.exe, cmd.exe, explorer.exe, (?i)^\w{1,2}\.exe
ParentImage16ends_with 14, eq 3, contains 2, is_null 2, ne 1\msmpeng.exe, -, \mrt.exe, .doc.js, .doc.lnk
TargetFilename15contains 12, ends_with 8, starts_with 3, in 2, match 1, wildcard 1.exe, .dll, .doc., .docx., $recycle.bin
Type11eq 11
EventType6eq 5, starts_with 1ProcessCreated, load, Image loaded, renamed-user-account
Description5eq 4, contains 1, starts_with 1Edit resources of exe, Execute processes remotely, Java Update Scheduler, Java(TM) Update Scheduler, Microsoft Access
ImageLoaded5wildcard 2, contains 1, ends_with 1, in 1, starts_with 1*\\cryptpak.dll, *\\htctl32.dll, *\\pcicapi.dll, .node, .vscode\extensions\ms-toolsai.jupyter-
process.args5eq 3, wildcard 2, starts_with 1*/../../../*, *FromBase64*, -af, -c, -cf
Product4eq 3, is_null 1, starts_with 1QEMU, Sysinternals, Sysinternals PsExec, rcedit

Top indicator values (2632 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
34241
EventIDeq
4688
12312
EventIDeq
1
11232
EventIDeq
4103
3105
EventIDeq
4104
3268
CommandLinecontains
/create
715
CommandLinecontains
/addfile
55
CommandLinecontains
/transfer
55
CommandLinecontains
cp
48
CommandLinecontains
copy
312
Imageends_with
\cmd.exe
7134
Imageends_with
\powershell.exe
7186
Imageends_with
\pwsh.exe
7172
Imageends_with
\bitsadmin.exe
629
Imageends_with
\rundll32.exe
6103
Imageends_with
\svchost.exe
628
Imageends_with
\conhost.exe
48
Imageends_with
\cscript.exe
476
Imageends_with
\powershell_ise.exe
442
Imageends_with
\regsvr32.exe
468
Imageends_with
\schtasks.exe
457
Imageends_with
\wscript.exe
478
Imageends_with
\csrss.exe
33
Imageends_with
\lsass.exe
35
Imageends_with
\mshta.exe
369
OriginalFileNameeq
bitsadmin.exe
512
process_nameeq
cmd.exe
475
process_nameeq
rundll32.exe
455
CommandLineregex_match
(?i)(copy-item|copy|xcopy|cp|cpi|robocopy)\s+.+(\x5c(system32|syswow64)\x5c)
33
CommandLineregex_match
(?i)(copy|more|Get-Content|type|cat|gc)\s+.*?((\/b\s+\S+\.dll\s+\+\s*\S+\.dll...
33

Exclusions (606 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
process.code_signature.trustedeq
true
5
Imageends_with
\cmd.exe
4
Imageends_with
\conhost.exe
2
Imageends_with
\excel.exe
2
Imagein
*:\\windows\\system32\\*
4
Imagein
*:\\windows\\syswow64\\*
4
Imagein
*:\\windows\\winsxs\\*
3
parent_process_namematch
^-$
4
Imagestarts_with
c:\windows\system32\
3
Imagestarts_with
c:\windows\syswow64\
3
ParentImageends_with
\msmpeng.exe
3
dll.code_signature.statuswildcard
errorExpired
3
CommandLinecontains
sdelete
2
Imagecontains
:\windows\system32\
2
Imagecontains
:\windows\syswow64\
2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 89 rules

Elastic 44 rules

Splunk 60 rules

Kusto 9 rules