DET0117 Detection of Masqueraded Tasks or Services with Suspicious Naming and Execution
| Item |
Value |
| ID |
DET0117 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1036.004 (Masquerade Task or Service)
Analytics
Windows
AN0324
Creation or modification of Windows services or scheduled tasks with names or descriptions mimicking legitimate entries, followed by anomalous execution of untrusted binaries or LOLBAS.
Log Sources
Mutable Elements
| Field |
Description |
| TaskNameSimilarityThreshold |
Similarity threshold for comparing new task/service names to known legitimate names (e.g., Levenshtein distance) |
| BinaryReputationScore |
Confidence level required for allowing a binary, often from unsigned or untrusted source |
| ExecutionContext |
Whether the execution came from SYSTEM, service accounts, or user contexts |
Linux
AN0325
Creation or modification of systemd service units or cron jobs using deceptive naming and untrusted command paths, often followed by lateral network activity or privilege escalation.
Log Sources
Mutable Elements
| Field |
Description |
| UnitFilePath |
Unusual or user-space paths for systemd unit files |
| ServiceNameDeviation |
Detect units with names similar to legitimate ones (e.g., networks.service instead of network.service) |
| ExecStartPath |
Track uncommon or suspicious binaries in ExecStart= directives |
macOS
AN0326
Creation of LaunchAgents or LaunchDaemons with names resembling known system services but executing non-Apple signed code or scripts.
Log Sources
Mutable Elements
| Field |
Description |
| PlistLabelSimilarity |
Detect plists with labels that closely resemble legitimate ones (e.g., com.apple.updates.plist) |
| UnsignedBinaryExecution |
Toggle sensitivity for unsigned binaries or scripts launched by daemons |
| UserContext |
Scope detection based on whether LaunchAgent ran in user or system context |