Wednesday, February 1, 2023
  • Coalition Forecasts CVE Disclosure Spike in 2023
  • Organizations Preparing for Cyberwar
  • Security Compliance in 2023: The SaaS Guide
  • Passwords Are Terrible (Surprising No One)
  • What is Fintech as a service & the Impact of APIs on Fintech?

Security Boulevard Logo

Security Boulevard

The Home of the Security Bloggers Network

Community Chats Webinars Library
  • Home
    • Cybersecurity News
    • Features
    • Industry Spotlight
    • News Releases
  • Security Bloggers Network
    • Latest Posts
    • Contributors
    • Syndicate Your Blog
    • Write for Security Boulevard
  • Webinars
    • Upcoming Webinars
    • On-Demand Webinars
  • Events
    • Upcoming Events
    • On-Demand Events
  • Chat
    • Security Boulevard Chat
    • Marketing InSecurity Podcast
    • Techstrong.tv Podcast
    • Techstrong.tv Video Podcast
    • TechstrongTV - Twitch
  • Library
  • Related Sites
    • Techstrong Group
    • Container Journal
    • DevOps.com
    • Security Boulevard
    • Techstrong Research
    • Techstrong TV
    • Techstrong.tv Podcast
    • Techstrong.tv Video Podcast
    • Techstrong.tv - Twitch
    • Devops Chat
    • DevOps Dozen
    • DevOps TV
  • Media Kit
  • About Us
  • Sponsor

  • Analytics
  • AppSec
  • CISO
  • Cloud
  • DevOps
  • GRC
  • Identity
  • Incident Response
  • IoT / ICS
  • Threats / Breaches
  • More
    • Blockchain / Digital Currencies
    • Careers
    • Cyberlaw
    • Mobile
    • Social Engineering
  • Humor
Data Security Security Bloggers Network 

Home » Cybersecurity » Data Security » The Masquerade Ball: Train Yourself to Detect Spoofed Files

SBN

The Masquerade Ball: Train Yourself to Detect Spoofed Files

by Travis Smith on October 29, 2018

Masquerading is a technique used in which a file name is maliciously named something similar to one which may be trusted.

TechStrong Con 2023Sponsorships Available

This specific technique is outlined in detail in the MITRE ATT&CK framework, as well. For example, a file named explorer.exe may seem more benign than one called explor3r.exe. However, file names may not be so easy to spot like that. Let’s go through a quick exercise and test your masquerading chops. Which of the following executables is the malicious one?

  • Conhost.exe
  • Explorer.exe
  • Lsalso.exe
  • Lsass.exe
  • Rdpclip.exe
  • Spoolsv.exe
  • Svchost.exe
  • Svhost.exe

Some of these may seem more familiar than others, such as conhost, explorer, and lsass. Others might be somewhat new to you, such as lsalso or rdpclip. The tricky part for most comes with the final three. Spoolsv is the print spooler service. Svchost is a system process used to launch Windows Services. Svhost is the malicious outlier that is trying to hide by using “sv” for service as used by the spoolsv executable rather than the expected “svc” for service as used by the proper executable.

It is quite common to see malicious binaries named like their benign counterpart with a single letter removed, added or modified. Another trick used by attackers is to reuse the benign file name but execute it from a new location. Let’s test your detection skills again. Which of the following is the malicious application?

  • C:WindowsSystem32calc.exe
  • C:WindowsSystem32explorer.exe
  • C:WindowsSystem32notepad.exe
  • C:Windowsnotepad.exe

When looking at the file names alone, they all appear to be correct. The file paths they are running in all look to be trusted locations, so an untrained eye can just pass right by all of these when inspecting a system. However, you know you’re being tested, and you know one (Read more...)

*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Travis Smith. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/masquerade-train-yourself-detect-spoofed-files/

October 29, 2018October 29, 2018 Travis Smith .exe, Featured Articles, Files, IT Security and Data Protection, Masquerade, spoofing
  • ← DerbyCon 2018, Michael Gough’s ‘Detecting WMI Exploitation’
  • Women in Information Security: Claire Reckless →

Techstrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows
TSTV Podcast

Subscribe to our Newsletters

Most Read on the Boulevard

‘Hive’ Russian Ransomware Gang Shut Down by FBI, DoJ, Europol, Bundeskriminalamt, et al
Chainguard Unveils Memory-Safe Linux Distribution
Securing Against Supply Chain Attacks
Another Password Manager Leak Bug: But KeePass Denies CVE
Security, Compliance Risks Complicate Cloud Migration Efforts 
Get Started with Fairwinds Insights (Free Tier), Kubernetes Governance Platform
VMware vRealize Log Insight VMSA-2023-0001 IOCs
Clarification of Obligations for the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates
The Top 8 Phishlabs Competitors for 2023
Comic Agilé – Mikkel Noe-Nygaard, Luxshan Ratnarav – ‘#226 – Black, White and Gray’

Upcoming Webinars

Wed 01

Achieving DevSecOps: Reducing AppSec Noise at Scale

February 1 @ 1:00 pm - 2:00 pm
Mon 13

AI in Machine Learning

February 13 @ 1:00 pm - 2:00 pm
Wed 15

Understanding Cyber Insurance Identity Security Requirements for 2023

February 15 @ 11:00 am - 12:00 pm
Wed 15

Where Will DevSecOps ‘Shift’ Next?

February 15 @ 1:00 pm - 2:00 pm
Tue 21

Headwinds, Crosswinds and Tailwinds: Securing the Cloud in Turbulent Times

February 21 @ 1:00 pm - 2:00 pm
Wed 22

Best Practices to Secure Your Software Supply Chain

February 22 @ 1:00 pm - 2:00 pm
Tue 28

SaaS-Based Container Networking and Security on Amazon EKS

February 28 @ 11:00 am - 12:00 pm

More Webinars

Download Free eBook

7 Must-Read eBooks for Security Professionals

Industry Spotlight

US No-Fly List Leaked via Airline Dev Server by @_nyancrimew
Analytics & Intelligence API Security Application Security Cloud Security Cyberlaw Cybersecurity Data Security DevOps Editorial Calendar Featured Governance, Risk & Compliance Humor Identity & Access Incident Response Industry Spotlight Most Read This Week Network Security News Popular Post Security Boulevard (Original) Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

US No-Fly List Leaked via Airline Dev Server by @_nyancrimew

January 23, 2023 Richi Jennings | Jan 23 0
T-Mobile’s SIXTH Breach in 5 years: 37M Users’ PII Leaks
Analytics & Intelligence API Security Careers Cloud Security Cyberlaw Cybersecurity Data Security DevOps Editorial Calendar Featured Governance, Risk & Compliance Humor Identity & Access Incident Response Industry Spotlight Mobile Security Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

T-Mobile’s SIXTH Breach in 5 years: 37M Users’ PII Leaks

January 20, 2023 Richi Jennings | Jan 20 0
APIs in Vehicle Software Vulnerable to Attacks
API Security Application Security Cybersecurity Data Security Featured Industry Spotlight Malware Security Boulevard (Original) Threat Intelligence Vulnerabilities 

APIs in Vehicle Software Vulnerable to Attacks

January 18, 2023 Sue Poremba | Jan 18 0

Top Stories

Coalition Forecasts CVE Disclosure Spike in 2023
Application Security Cybersecurity Data Security Featured Governance, Risk & Compliance Incident Response News Security Boulevard (Original) Spotlight Threat Intelligence Vulnerabilities 

Coalition Forecasts CVE Disclosure Spike in 2023

February 1, 2023 Michael Vizard | 11 minutes ago 0
Cybersecurity Featured Governance, Risk & Compliance Incident Response IoT & ICS Security News Security Boulevard (Original) Threat Intelligence Threats & Breaches Vulnerabilities 

Organizations Preparing for Cyberwar

February 1, 2023 George V. Hulme | 11 minutes ago 0
Another Password Manager Leak Bug: But KeePass Denies CVE
Analytics & Intelligence API Security Application Security Cybersecurity Data Security Editorial Calendar Endpoint Featured Governance, Risk & Compliance Humor Identity & Access Identity and Access Management Malware Most Read This Week News Popular Post Securing Open Source Security Awareness Security Boulevard (Original) Social Engineering Software Supply Chain Security Spotlight Threat Intelligence Threats & Breaches Vulnerabilities Zero-Trust 

Another Password Manager Leak Bug: But KeePass Denies CVE

January 31, 2023 Richi Jennings | Yesterday 0

Security Humor

Robert M. Lee's & Jeff Haas' Little Bobby Comic - 'WEEK 417’

Robert M. Lee’s & Jeff Haas’ Little Bobby Comic – ‘WEEK 417’

Security Boulevard Logo White

DMCA

Join the Community

  • Add your blog to Security Bloggers Network
  • Write for Security Boulevard
  • Bloggers Meetup and Awards
  • Ask a Question
  • Email: [email protected]

Useful Links

  • About
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • DMCA Compliance Statement
  • Privacy Policy

Related Sites

  • Techstrong Group
  • Container Journal
  • DevOps.com
  • Digital CxO
  • Techstrong Research
  • Techstrong TV
  • Techstrong.tv Podcast
  • DevOps Chat
  • DevOps Dozen
  • DevOps TV
Powered by Techstrong Group
Copyright © 2023 Techstrong Group Inc. All rights reserved.