Description
Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: `svchost.exe`). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023)
Threat-Mapped Scoring
Threat Score:
1.8
Industry:
Threat Priority:
P4 - Informational (Low)
ATT&CK Kill Chain Metadata
- Tactics: defense-evasion
- Platforms: Linux, macOS, Windows, Containers, ESXi
-
Detection Guidance:
Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect. If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update) In containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names.(Citation: Docker Images) Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users.
Malware
- ANDROMEDA
- AppleSeed
- BADNEWS
- BLINDINGCAN
- BackConfig
- Bad Rabbit
- Bazar
- Bisonal
- Black Basta
- Bumblebee
- Bundlore
- Calisto
- Carberp
- ChChes
- Chaes
- Chinoxy
- Cuba
- Cuckoo Stealer
- Cyclops Blink
- DRATzarus
- DUSTPAN
- DanBot
- DarkComet
- Daserf
- Doki
- Dtrack
- EKANS
- Elise
- Felismus
- FinFisher
- FoggyWeb
- Fysbis
- Gelsemium
- GoBear
- GoldMax
- GoldenSpy
- Goopy
- Grandoreiro
- Green Lambert
- HTTPBrowser
- HermeticWiper
- HermeticWizard
- IceApple
- IcedID
- InnaputRAT
- InvisiMole
- Ixeshe
- J-magic
- KGH_SPY
- KOCTOPUS
- KONNI
- Latrodectus
- LightNeuron
- LookBack
- Machete
- MagicRAT
- MarkiRAT
- MechaFlounder
- Metamorfo
- Mis-Type
- Misdat
- NETWIRE
- NOKKI
- Nebulae
- NightClub
- Ninja
- OLDBAIT
- OSX/Shlayer
- Octopus
- OutSteel
- OwaAuth
- PUNCHBUGGY
- Penquin
- PipeMon
- PlugX
- PowGoop
- PyDCrypt
- Pysa
- QUADAGENT
- QUIETEXIT
- RDAT
- REvil
- Raindrop
- RainyDay
- Ramsay
- Remsec
- RotaJakiro
- Ryuk
- S-Type
- SLOTHFULMEDIA
- SUGARDUMP
- SUNBURST
- SUNSPOT
- SUPERNOVA
- Saint Bot
- Samurai
- Shark
- Sibot
- Skidmap
- Small Sieve
- SocGholish
- SslMM
- Starloader
- StrelaStealer
- StrifeWater
- StrongPity
- TAINTEDSCRIBE
- TEARDROP
- TRANSLATEXT
- Tarrask
- ThiefQuest
- ThreatNeedle
- TinyTurla
- Troll Stealer
- USBStealer
- Ursnif
- Winnti for Windows
- ZLib
Tools
APTs (Intrusion Sets)
- APT1
- APT28
- APT29
- APT32
- APT39
- APT41
- APT42
- APT5
- Akira
- Aquatic Panda
- BRONZE BUTLER
- BackdoorDiplomacy
- Blue Mockingbird
- Carbanak
- Chimera
- Darkhotel
- Earth Lusca
- Ember Bear
- FIN13
- FIN7
- Ferocious Kitten
- Fox Kitten
- Gamaredon Group
- INC Ransom
- Indrik Spider
- Ke3chang
- Kimsuky
- Lazarus Group
- LuminousMoth
- Machete
- Magic Hound
- MuddyWater
- Mustang Panda
- Mustard Tempest
- Naikon
- OilRig
- PROMETHIUM
- Patchwork
- Poseidon Group
- RedCurl
- Rocke
- Sandworm Team
- SideCopy
- Sidewinder
- Silence
- Sowbug
- Storm-1811
- TA2541
- TeamTNT
- ToddyCat
- Transparent Tribe
- Tropic Trooper
- Turla
- Velvet Ant
- Volt Typhoon
- WIRTE
- Whitefly
- admin@338
- menuPass