EXPLORE
Sign In
← Back to Explore
T1036.004

Masquerade Task or Service

Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to th...

LinuxmacOSWindows
7
Detections
3
Sources
22
Threat Actors

BY SOURCE

5elastic1sigma1splunk_escu

PROCEDURES (5)

Masquerad2 detections

Auto-extracted: 2 detections for masquerad

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Persist1 detections

Auto-extracted: 1 detections for persist

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Persist1 detections

Auto-extracted: 1 detections for persist

THREAT ACTORS (22)

APT-C-36APT32APT41Aquatic PandaBackdoorDiplomacyBITTERCarbanakFIN13FIN6FIN7Fox KittenHigaisaKimsukyLazarus GroupMagic HoundNaikonPROMETHIUMStorm-0501UNC3886Winter VivernWizard SpiderZIRCONIUM

DETECTIONS (7)

Executable Masquerading as Kernel Process
elastichigh
Linux Kworker Process In Writable Process Path
splunk_escu
Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score
elastichigh
Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score
elasticlow
Network Activity Detected via Kworker
elasticlow
Scheduled Task Creation Masquerading as System Processes
sigmahigh
Suspicious Kworker UID Elevation
elasticmedium