Skip to content

DET0127 Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy

Item Value
ID DET0127
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1036 (Masquerading)

Analytics

Windows

AN0355

Adversary renames LOLBINs or deploys binaries with spoofed file names, internal PE metadata, or misleading icons to appear legitimate. File creation is followed by execution or service registration inconsistent with known usage.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Service Creation (DC0060) WinEventLog:System EventCode=7045
Mutable Elements
Field Description
OriginalFilenameMismatch Compare executable file name with PE metadata OriginalFilename field
KnownSystemUtilityPaths Tune based on expected installation directories for signed binaries
TimeWindow Correlation window between file creation and service/process execution

Linux

AN0356

Adversary drops renamed binaries in uncommon directories (e.g., /tmp, /dev/shm) or uses special characters in names (e.g., trailing space, Unicode RLO). Execution or cronjob registration follows shortly after file drop.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
File Modification (DC0061) linux:syslog rename
File Metadata (DC0059) linux:osquery file_events
Mutable Elements
Field Description
DropLocationPattern Directories where new binaries are suspicious (e.g., /tmp)
FilenameAnomalies Regex for Unicode/RLO/space abuse in filenames
ExecutionDelayWindow Time range between file write and execution used for joining

macOS

AN0357

Adversary creates disguised launch daemons or apps with misleading names and bundle metadata (e.g., Info.plist values inconsistent with binary path or icon). Launch is correlated with user logon or persistence setup.

Log Sources
Data Component Name Channel
Process Metadata (DC0034) macos:unifiedlog process
Process Creation (DC0032) macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_EXEC
File Metadata (DC0059) fs:fileevents /var/log/install.log
Mutable Elements
Field Description
InfoPlistDiscrepancy Mismatch between bundle metadata and file system path/name
LaunchAgentPath Unusual LaunchDaemon/LaunchAgent paths can be tuned per org
ExecutionTrigger Window between install and first execution (e.g., at user login)

Containers

AN0358

Adversary uses renamed container images, injects files into containers with misleading names or metadata (e.g., renamed system binaries), and executes them during startup or scheduled jobs.

Log Sources
Data Component Name Channel
Process Creation (DC0032) containerd:runtime /var/log/containers/*.log
Image Metadata (DC0028) docker:events docker.events.json
File Modification (DC0061) ebpf:syscalls file_write
Mutable Elements
Field Description
ImageLabelMismatch Tune detection based on mismatch between image name and labels
StartupScriptLocation Detect binaries added or modified in startup path (e.g., /entrypoint.sh)
ProcessNamePattern Allow tuning based on suspicious binary naming inside containers

ESXi

AN0359

Adversary places scripts or binaries with misleading names in /etc/rc.local.d or /var/spool/cron, or registers services with legitimate-sounding names not present in default ESXi builds.

Log Sources
Data Component Name Channel
Service Metadata (DC0041) esxi:hostd registers services with legitimate-sounding names
Command Execution (DC0064) esxi:shell scripts or binaries with misleading names
Mutable Elements
Field Description
ServiceNameBaseline Tune based on default service names vs. suspicious new entries
ScriptFilePath Watch for new binaries/scripts in boot or cron folders
ExecutionContext Determine if execution happens at boot or scheduled interval