The Masquerade Ball: Train Yourself to Detect Spoofed Files

Masquerading is a technique used in which a file name is maliciously named something similar to one which may be trusted.

This specific technique is outlined in detail in the MITRE ATT&CK framework, as well. For example, a file named explorer.exe may seem more benign than one called explor3r.exe. However, file names may not be so easy to spot like that. Let’s go through a quick exercise and test your masquerading chops. Which of the following executables is the malicious one?

• Conhost.exe
• Explorer.exe
• Lsalso.exe
• Lsass.exe
• Rdpclip.exe
• Spoolsv.exe
• Svchost.exe
• Svhost.exe

Some of these may seem more familiar than others, such as conhost, explorer, and lsass. Others might be somewhat new to you, such as lsalso or rdpclip. The tricky part for most comes with the final three. Spoolsv is the print spooler service. Svchost is a system process used to launch Windows Services. Svhost is the malicious outlier that is trying to hide by using “sv” for service as used by the spoolsv executable rather than the expected “svc” for service as used by the proper executable.

It is quite common to see malicious binaries named like their benign counterpart with a single letter removed, added or modified. Another trick used by attackers is to reuse the benign file name but execute it from a new location. Let’s test your detection skills again. Which of the following is the malicious application?

• C:WindowsSystem32calc.exe
• C:WindowsSystem32explorer.exe
• C:WindowsSystem32notepad.exe
• C:Windowsnotepad.exe

When looking at the file names alone, they all appear to be correct. The file paths they are running in all look to be trusted locations, so an untrained eye can just pass right by all of these when inspecting a system. However, you know you’re being tested, and you know one (Read more...)