T1036.003 Rename System Utilities
Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. 4 It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). 2 An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. 3
| Item | Value |
|---|---|
| ID | T1036.003 |
| Sub-techniques | T1036.001, T1036.002, T1036.003, T1036.004, T1036.005, T1036.006, T1036.007, T1036.008 |
| Tactics | TA0005 |
| Platforms | Linux, Windows, macOS |
| Version | 1.1 |
| Created | 10 February 2020 |
| Last Modified | 07 April 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0050 | APT32 | APT32 has moved and renamed pubprn.vbs to a .txt file to avoid detection.9 |
| S0046 | CozyCar | The CozyCar dropper has masqueraded a copy of the infected system’s rundll32.exe executable that was moved to the malware’s install directory and renamed according to a predefined configuration file.3 |
| G0093 | GALLIUM | GALLIUM used a renamed cmd.exe file to evade detection.6 |
| S1020 | Kevin | Kevin has renamed an image of cmd.exe with a random name followed by a .tmpl extension.5 |
| G0032 | Lazarus Group | Lazarus Group has renamed system utilities such as wscript.exe and mshta.exe.7 |
| G0045 | menuPass | menuPass has renamed certutil and moved it to a different location on the system to avoid detection based on use of the tool.8 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1022 | Restrict File and Directory Permissions | Use file system access controls to protect folders such as C:\Windows\System32. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Metadata |
| DS0009 | Process | Process Metadata |
References
-
Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019. ↩
-
Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016. ↩
-
F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015. ↩↩
-
LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020. ↩
-
Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. ↩
-
Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. ↩
-
Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. ↩
-
Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. ↩
-
Carr, N.. (2017, December 26). Nick Carr Status Update APT32 pubprn. Retrieved April 22, 2019. ↩