Description
Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.
Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)
Platforms
Threat Groups (23)
| ID | Group | Context |
|---|---|---|
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) created new, malicious services using names such as <code>Windows User Service</code> to attemp... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has disguised services to appear as benign software or related to operating system functions.(Citatio... |
| G0008 | Carbanak | [Carbanak](https://attack.mitre.org/groups/G0008) has copied legitimate service names to use for malicious services.(Citation: Kaspersky Carbanak) |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has created a scheduled task named “AdobeFlashSync” to establish persistence.(Citation: Morphisec FIN7 J... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has used scheduled tasks names such as `acrotyr` and `AppServicesr` to mimic the same names in a compro... |
| G0099 | APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has disguised its scheduled tasks as those used by Google.(Citation: QiAnXin APT-C-36 Feb2019) |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) has used hidden or non-printing characters to help masquerade service names, such as appending a Unicod... |
| G1035 | Winter Vivern | [Winter Vivern](https://attack.mitre.org/groups/G1035) has distributed malicious scripts and executables mimicking virus scanners.(Citation: SentinelO... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used scheduled tasks to install [TrickBot](https://attack.mitre.org/software/S0266), using ... |
| G1002 | BITTER | [BITTER](https://attack.mitre.org/groups/G1002) has disguised malware as a Windows Security update service.(Citation: Cisco Talos Bitter Bangladesh Ma... |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has renamed the "psexec" service name to "mstdc" to masquerade as a legitimate Windows service.(Citation... |
| G0019 | Naikon | [Naikon](https://attack.mitre.org/groups/G0019) renamed a malicious service <code>taskmgr</code> to appear to be a legitimate version of Task Manager.... |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has named the task for a reverse proxy lpupdate to appear legitimate.(Citation: CISA AA20-259A Ira... |
| G0056 | PROMETHIUM | [PROMETHIUM](https://attack.mitre.org/groups/G0056) has named services to appear legitimate.(Citation: Talos Promethium June 2020)(Citation: Bitdefend... |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has named a file ‘fgfm’ in an attempt to disguise it as the legitimate service ‘fgfmd’ which facilita... |
| G0128 | ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has created a run key named <code>Dropbox Update Setup</code> to mask a persistence mechanism for a... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has named a malicious script CacheTask.bat to mimic a legitimate task.(Citation: DFIR Phosphorus ... |
| G0126 | Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) named a shellcode loader binary <code>svchast.exe</code> to spoof the legitimate <code>svchost.exe</c... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used a scheduled task named `SRCheck` to mask the execution of a malicious .dll.(Citation: ... |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has utilized [Rclone](https://attack.mitre.org/software/S1040) masqueraded as svhost.exe and scvho... |
Associated Software (62)
| ID | Name | Type | Context |
|---|---|---|---|
| S1033 | DCSrv | Malware | [DCSrv](https://attack.mitre.org/software/S1033) has masqueraded its service as a legitimate svchost.exe process.(Citation: Checkpoint MosesStaff Nov ... |
| S0013 | PlugX | Malware | In one instance, [menuPass](https://attack.mitre.org/groups/G0045) added [PlugX](https://attack.mitre.org/software/S0013) as a service with a display ... |
| S1064 | SVCReady | Malware | [SVCReady](https://attack.mitre.org/software/S1064) has named a task `RecoveryExTask` as part of its persistence activity.(Citation: HP SVCReady Jun 2... |
| S0438 | Attor | Malware | [Attor](https://attack.mitre.org/software/S0438)'s dispatcher disguises itself as a legitimate task (i.e., the task name and description appear legiti... |
| S0449 | Maze | Malware | [Maze](https://attack.mitre.org/software/S0449) operators have created scheduled tasks masquerading as "Windows Update Security", "Windows Update Secu... |
| S0495 | RDAT | Malware | [RDAT](https://attack.mitre.org/software/S0495) has used Windows Video Service as a name for malicious services.(Citation: Unit42 RDAT July 2020) |
| S1042 | SUGARDUMP | Malware | [SUGARDUMP](https://attack.mitre.org/software/S1042)'s scheduled task has been named `MicrosoftInternetExplorerCrashRepoeterTaskMachineUA` or `Microso... |
| S0223 | POWERSTATS | Malware | [POWERSTATS](https://attack.mitre.org/software/S0223) has created a scheduled task named "MicrosoftEdge" to establish persistence.(Citation: ClearSky ... |
| S0410 | Fysbis | Malware | [Fysbis](https://attack.mitre.org/software/S0410) has masqueraded as the rsyncd and dbus-inotifier services.(Citation: Fysbis Dr Web Analysis) |
| S0688 | Meteor | Malware | [Meteor](https://attack.mitre.org/software/S0688) has been disguised as the Windows Power Efficiency Diagnostics report tool.(Citation: Check Point Me... |
| S0169 | RawPOS | Malware | New services created by [RawPOS](https://attack.mitre.org/software/S0169) are made to appear like legitimate Windows services, with names such as "Win... |
| S0629 | RainyDay | Malware | [RainyDay](https://attack.mitre.org/software/S0629) has named services and scheduled tasks to appear benign including "ChromeCheck" and "googleupdate.... |
| S0140 | Shamoon | Malware | [Shamoon](https://attack.mitre.org/software/S0140) creates a new service named “ntssrv” that attempts to appear legitimate; the service's display name... |
| S1013 | ZxxZ | Malware | [ZxxZ](https://attack.mitre.org/software/S1013) has been disguised as a Windows security update service.(Citation: Cisco Talos Bitter Bangladesh May 2... |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) has created a scheduled task named TVInstallRestore to mimic TeamViewer. (Citation: Cisco Talos Qilin... |
| S1130 | Raspberry Robin | Malware | [Raspberry Robin](https://attack.mitre.org/software/S1130) will execute its payload prior to initializing command and control traffic by impersonating... |
| S0471 | build_downer | Malware | [build_downer](https://attack.mitre.org/software/S0471) has added itself to the Registry Run key as "NVIDIA" to appear legitimate.(Citation: Trend Mic... |
| S1031 | PingPull | Malware | [PingPull](https://attack.mitre.org/software/S1031) can mimic the names and descriptions of legitimate services such as `iphlpsvc`, `IP Helper`, and ... |
| S0491 | StrongPity | Malware | [StrongPity](https://attack.mitre.org/software/S0491) has named services to appear legitimate.(Citation: Talos Promethium June 2020)(Citation: Bitdefe... |
| S0345 | Seasalt | Malware | [Seasalt](https://attack.mitre.org/software/S0345) has masqueraded as a service called "SaSaut" with a display name of "System Authorization Service" ... |
References
- Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
- Freedesktop.org. (n.d.). systemd.service — Service unit configuration. Retrieved March 16, 2020.
- Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016.
Frequently Asked Questions
What is T1036.004 (Masquerade Task or Service)?
T1036.004 is a MITRE ATT&CK technique named 'Masquerade Task or Service'. It belongs to the Stealth tactic(s). Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/...
How can T1036.004 be detected?
Detection of T1036.004 (Masquerade Task or Service) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1036.004?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1036.004?
Known threat groups using T1036.004 include: Aquatic Panda, Kimsuky, Carbanak, FIN7, FIN13, APT-C-36, APT32, Winter Vivern.