Masquerading

From attackics
Revision as of 16:35, 12 April 2021 by Jsteele (talk | contribs) (Text replacement - "Mitigation=Mitigation/M10" to "Mitigation=Mitigation/M09")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Masquerading
Technique
ID T0849
Tactic Evasion
Data Sources File Monitoring, Process monitoring, Binary file metadata
Asset Human-Machine Interface, Control Server

Description

Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions.

Applications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.


Procedure Examples

  • EKANS masquerades itself as a valid executable with the filename "update.exe". Many valid programs use the process name "update.exe" to perform background software updates.1
  • Industroyer includes a launch component that loads DLLs and EXEs with filenames associated with common electric power sector protocols, including 101.dll, 104.dll, 61850.dll, OPCClientDemo.dll, OPC.exe, and 61850.exe.2
  • REvil searches for whether the Ahnlab “autoup.exe” service is running on the target system and injects its payload into this existing process.3
  • Stuxnet renames s7otbxdx.dll, a dll responsible for handling communications with a PLC. It replaces this dll file with its own version that allows it to intercept any calls that are made to access the PLC.4
  • Triton's injector, inject.bin, masquerades as a standard compiled PowerPC program for the Tricon.5
  • Triton was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs.6

Mitigations

  • Execution Prevention - Use tools that restrict program execution via application control by attributes other than file name for common system and application utilities.