|Tactic||Evasion, Impair Process Control|
|Data Sources||File Monitoring, Process monitoring, Binary file metadata|
|Asset||Human-Machine Interface, Control Server|
Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions.
Applications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.
- Industroyer modules operate by inhibiting the normal SCADA master communication functions and then activate a replacement master communication module managed by the malware, which executes a script of commands to issue normal protocol messages.1
- Stuxnet renames a dll responsible for handling communications with a PLC. It replaces the original .dll file with its own version that allows it to intercept any calls that are made to access the PLC.2
- The Triton malware was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs.3
- Code Signing - Require signed binaries.
- Execution Prevention - Use tools that restrict program execution via application control by attributes other than file name for common system and application utilities.
- Restrict File and Directory Permissions - Use file system access controls to protect system and application folders.