T0849 Masquerading
Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions.
Applications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.
| Item | Value |
|---|---|
| ID | T0849 |
| Sub-techniques | |
| Tactics | TA0103 |
| Platforms | Control Server, Human-Machine Interface |
| Version | 1.1 |
| Created | 21 May 2020 |
| Last Modified | 09 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| C0025 | 2016 Ukraine Electric Power Attack | During the 2016 Ukraine Electric Power Attack, Sandworm Team transferred executable files as .txt and then renamed them to .exe, likely to avoid detection through extension tracking.6 |
| S0605 | EKANS | EKANS masquerades itself as a valid executable with the filename update.exe. Many valid programs use the process name update.exe to perform background software updates. 5 |
| S0496 | REvil | REvil searches for whether the Ahnlab autoup.exe service is running on the target system and injects its payload into this existing process. 4 |
| S0603 | Stuxnet | Stuxnet renames s7otbxdx.dll, a dll responsible for handling communications with a PLC. It replaces this dll file with its own version that allows it to intercept any calls that are made to access the PLC. 3 |
| S1009 | Triton | Triton‘s injector, inject.bin, masquerades as a standard compiled PowerPC program for the Tricon. 2 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0945 | Code Signing | Require signed binaries. |
| M0938 | Execution Prevention | Use tools that restrict program execution via application control by attributes other than file name for common system and application utilities. |
| M0922 | Restrict File and Directory Permissions | Use file system access controls to protect system and application folders. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Metadata |
| DS0009 | Process | Process Metadata |
| DS0003 | Scheduled Job | Scheduled Job Creation |
| DS0019 | Service | Service Creation |
References
-
Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021. ↩
-
DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ↩
-
Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ↩
-
Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ↩
-
Dragos Threat Intelligence 2020, February 03 EKANS Ransomware and ICS Operations Retrieved. 2021/04/12 ↩
-
Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. ↩
-
Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019. ↩