T1036.004SubTechniquedefense-evasionagent-callable

T1036.004Masquerade Task or Service

Sub-technique of T1036

Platforms: Windows · Linux · macOS

ATT&CK version: 14.1

What it is

Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones. Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)

ATT&CK tactics· 1

Defense Evasion

References

  1. https://attack.mitre.org/techniques/T1036/004
  2. https://vms.drweb.com/virus/?i=4276269
  3. http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/
  4. https://www.freedesktop.org/software/systemd/man/systemd.service.html
  5. https://technet.microsoft.com/en-us/library/bb490996.aspx
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.