Detect Masquerading Processes in Windows

Description: The queries below help to detect process masquerading as another legitimate process from osquery.

Masquerading allows adversaries to manipulate expected names and file paths to circumvent security controls, especially when they are reliant on filenames and process paths to observe, detect, or otherwise prevent threats. For example, it’s trivial to detect an adversary executing a binary named “mimikatz.exe.” As such, when adversaries want to dump credentials with Mimikatz, renaming the tool is essentially a prerequisite for successful credential theft.

Red Canary

SQL:

SELECT
  'T1036' as mitre_attck_id,
  'https://attack.mitre.org/techniques/T1036/' as mitre_attck_url,
  *
FROM processes WHERE LOWER(name)='winlogon.exe'
AND LOWER(path)!='c:\windows\system32\winlogon.exe' AND path!='';
SELECT 
  'T1036' as mitre_attck_id,
  'https://attack.mitre.org/techniques/T1036/' as mitre_attck_url,
  * 
FROM processes 
WHERE LOWER(name)='conhost.exe' AND LOWER(path)!='c:\windows\system32\conhost.exe' AND path!='';
SELECT 
  'T1036' as mitre_attck_id,
  'https://attack.mitre.org/techniques/T1036/' as mitre_attck_url,
  * 
FROM processes 
WHERE LOWER(name)='dllhost.exe' AND LOWER(path)!='c:\windows\system32\dllhost.exe' 
AND LOWER(path)!='c:\windows\syswow64\dllhost.exe' AND path!='';
SELECT
  'T1036' as mitre_attck_id,
SELECT 
  'T1036' as mitre_attck_id,
  'https://attack.mitre.org/techniques/T1036/' as mitre_attck_url,
  * 
FROM processes 
WHERE LOWER(name)='lsass.exe' 
AND LOWER(path)!='c:\windows\system32\lsass.exe' AND path!='';
SELECT 
  'T1036' as mitre_attck_id,
  'https://attack.mitre.org/techniques/T1036/' as mitre_attck_url,
  * 
FROM processes 
WHERE pid=(SELECT parent FROM processes WHERE LOWER(name)='services.exe') 
AND LOWER(name)!='wininit.exe';
SELECT 
  'T1036' as mitre_attck_id,
  'https://attack.mitre.org/techniques/T1036/' as mitre_attck_url,
  * 
FROM processes 
WHERE LOWER(name)='svchost.exe' 
AND LOWER(path)!='c:\windows\system32\svchost.exe' AND LOWER(path)!='c:\windows\syswow64\svchost.exe' AND path!='';
SELECT
  'T1036' as mitre_attck_id,
  'https://attack.mitre.org/techniques/T1036/' as mitre_attck_url,
  *
FROM processes
WHERE pid=(SELECT parent FROM processes WHERE LOWER(name)='svchost.exe')
AND LOWER(name)!='services.exe';

Operating Systems: Windows Only

References:

osquery/windows-attacks.conf at master · osquery/osquery (github.com)

https://attack.mitre.org/techniques/T1036/

MITRE ATT&CK® Technique T1036: Masquerading – Red Canary