Skip to content

DET0347 Detection Strategy for Masquerading via Legitimate Resource Name or Location

Item Value
ID DET0347
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1036.005 (Match Legitimate Resource Name or Location)

Analytics

Windows

AN0983

Detects processes or binaries executed from trusted directories (e.g., System32) or using trusted names (e.g., svchost.exe) where the metadata, hash, or parent process does not align with legitimate activity patterns.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Mutable Elements
Field Description
trusted_directory_list Paths such as C:\Windows\System32 that adversaries may abuse
process_baseline_age Time window to determine process novelty (e.g., 30 days)

Linux

AN0984

Detects renamed binaries or scripts placed into trusted paths like /usr/bin or /lib with mismatched metadata or unexpected creation/modification times.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
File Access (DC0055) auditd:SYSCALL open
Process Modification (DC0020) auditd:SYSCALL rename
File Metadata (DC0059) linux:osquery Filesystem modifications to trusted paths
Mutable Elements
Field Description
monitored_paths Set of system or application directories considered sensitive or trusted
hash_validation_window Timeframe during which a newly created file should have its hash validated (e.g., within 5 minutes of write)

macOS

AN0985

Detects binaries or launch daemons in /System/Library or /Applications with mismatched bundle names, unexpected metadata, or improper installation origin.

Log Sources
Data Component Name Channel
Process Metadata (DC0034) macos:unifiedlog log collect from launchd and process start
File Metadata (DC0059) fs:fsusage filesystem monitoring of exec/open
Mutable Elements
Field Description
expected_bundle_names List of known application names and paths to validate against
signed_by_apple_check Toggle to enforce checks for Apple-signed binaries in trusted directories

Containers

AN0986

Detects malicious containers or pods using names, labels, or namespaces that mimic legitimate workloads; also checks for image layer mismatches and unauthorized resource deployments.

Log Sources
Data Component Name Channel
Image Metadata (DC0028) kubernetes:apiserver Resource creation and update logs
Process Metadata (DC0034) containerd:events Docker or containerd image pulls and process executions
Mutable Elements
Field Description
trusted_namespace_list List of namespaces that should not be used by unprivileged users or workloads
image_baseline_hashes Reference hashes of approved container images

ESXi

AN0987

Detects VIBs, scripts, or binaries placed into directories like /bin or /etc/vmware with names mimicking standard ESXi components. Also monitors unauthorized creation of services.

Log Sources
Data Component Name Channel
Process Creation (DC0032) esxi:vmkernel Exec
Module Load (DC0016) esxi:vmkernel module load
Service Metadata (DC0041) esxi:hostd Service events
Scheduled Job Creation (DC0001) esxi:hostd task creation events
Mutable Elements
Field Description
esxi_baseline_file_list Known good binaries and their expected paths
service_creation_alert_threshold Threshold for unknown service names or mismatched digital signatures