How to Hunt:
The Masquerade Ball
SERIES ONE, VOLUME ONE
PAUL EWING
How to Hunt: The Masquerade Ball
1
1
How to Hunt: The Masquerade Ball
Masquerading was once conducted
attackers blend into and persist
by the wealthiest elite at elaborate
within environments, evading many
dances, allowing them to take on
defensive techniques.
the guise of someone else and hide
amidst the crowd. Today, we see
Part of the attacker’s tradecraft
digital masquerading used by the
is to avoid detection. We can
most sophisticated as well as less
look to frameworks, like Mitre’s
skilled adversaries to hide in the
ATT&CKTM, to guide us through
noise while conducting operations.
the adversary lifecycle. We’ve
We continue our series on hunting
shown how it’s useful for hunting for
for specific adversary techniques
persistence (as our COM hijacking
and get into the Halloween spirit
post demonstrated) and it also
by demonstrating how to hunt for
covers the broad range of attacker
masquerading. So let’s start the
techniques, including defense
masquerade ball and hunt for a
evasion. DLL search order hijacking,
simple but more devious defense
UAC bypassing, and time stomping
evasion technique.
are all effective for defense evasion,
Defense Evasion
as is the one we will discuss today masquerading.
In nature, camouflage is a time-
Attackers use these defense evasion
proven, effective defensive
techniques to blend in, making
technique which enables the hunted
them easy to miss when hunting,
to evade the hunters. It shouldn’t
especially when dealing with huge
come as any surprise that attackers
amounts of data from thousands
have adopted this strategy for
of hosts. Let’s start with some DIY
defense evasion during cyber
methods to hunt for masquerading,
exploitation, hiding in plain sight
which require an inspection of
by resembling common filenames
persistent or running process file
and paths you would expect within
names or paths.
a typical environment. By adopting
common filenames and paths,
How to Hunt: The Masquerade Ball
2
The Masquerading
choose which files you care about.
Approach
approach and an approach that
Like most things, there is a lazy
takes a little more effort, but will
We previously explored hunting
probably give you more meaningful
for uncommon filepaths, which is
results with less noise. To build
a simple approach for detecting
your anchor list the lazy way, simply
suspicious files. We can expand
enumerate all files in C:\Windows
on this method by understanding
including the filename and path and
masquerading. Let’s focus on two
use that as your anchor list.
different masquerading techniques:
However, there are a huge number
1 Filename masquerading where
of filenames in this list, and you
legitimate Windows filenames
should ask yourself questions about
appear in a non-conventional
the likelihood of an adversarial
location.
masquerade before putting it in the
anchor list. After all, it isn’t much
2 Filename mismatching where
of a masquerade if the legitimate
filenames on disk differ from
filename seen in a process list
those in the resource section of
or anywhere else might cause
the compiled binary.
someone to question its legitimacy,
even if it’s a system file, such as
Filename Masquerading
NetCfgNotifyObjectHost.exe. So,
put in a bit more work and make
For filename masquerading, you
a custom list of native Windows
need to first build the list of files
files, such as svchost, lsass, winnit,
which have masquerade potential.
smss, and logonui, which show
We’ll call that the anchor list. A
up constantly and are likely to be
good approach is installing a clean
passed over if an experienced but
base image representative of your
rushed investigator is inspecting
environment (a fresh install of
the name. It is also a good idea for
Windows will do). Next, you need to
the anchor list to include names
3
How to Hunt: The Masquerade Ball
for other common applications you
sure to avoid being too trustworthy
expect to find in your environment,
of the name on the cert, as actors
such as reader_sl.exe, winword.exe,
sometimes can get code signing
and more.
certs that look similar to something
legitimate...but that’s a topic for
Once the anchor list is compiled,
another day.
you can start using it during your
hunt operations. List the running
If you find this approach worthwhile,
processes, persistent files, or some
you will have to keep your anchor
other file-backed artifact you’re
list updated. Software changes and
interested in. Compare those names
if you don’t change with it, you’ll
to the anchor list. Do the filenames
have gaps in your analysis.
match? There will be many matches.
What about the filepaths? If not,
Filename Mismatch
you know where to target your hunt.
There are legitimate reasons for this
Why stop at simply comparing
happening (users do unexpected
files to your anchor list when
things), but locating this simple
more can be done? In this bonus
defensive evasion technique is a
masquerading approach, let’s look
good way to find intrusions.
at filenames on disk and from the
resource section of the binary.
We’d also recommend some
There’s a wealth of additional
additional triage of results before
information here, including the MS
calling this a legitimate detection
Version info. As they note, it includes
and embarking on an incident
the original name of the file, but
response. Easy things to do include
does not include a path. This can
checking hashes against the
inform you whether the file has been
masquerade target in the anchor
renamed by a user.
list. If it’s a match, it’s probably a
Obviously, if the filename on disk
false alarm, and check the signer
doesn’t match the original file name,
information for the file as we
there are generally two possibilities:
discussed in the previous post. Be
either the user renamed it, or maybe
How to Hunt: The Masquerade Ball
4
someone brought a tool with them,
actively evading detection, and
but doesn’t want you to know. Let’s
trying to blend in. Clever use of
take DLL implants for example.
masquerading within filenames
Many APT groups have brought
can make their activities difficult
rundll32 with them, as opposed to
to detect. While there are manual
using the native Windows version.
means to detect mismatches and
APT groups aren’t the only ones
masquerading, this can be time
masquerading. Everyone does this!
intensive and may not scale well
to larger environments. Thanks to
Endgame @ the
Masquerade Ball
Crafting your own anchor list,
regularly updating it, and manually
comparing the list to your hunt data
Endgame’s advanced detection
capabilities, in a few clicks we
are able to quickly catch those
masqueraders, remediate the
intrusion early, and get back
to the ball.
or adding this analytic to your bag
of post-processing scripts may work
for some, but it calls for routine
grooming. Let’s take a look at how
easy it is to hunt for masquerading
using Endgame, where we provide
this as one of the many one-click
automations in the platform.
Conclusion
Whom amongst us doesn’t love
to use Halloween as an excuse
to masquerade as someone, or
something, else? Unfortunately,
adversaries embrace this mentality
year round, hiding in plain sight,
5
How to Hunt: The Masquerade Ball
How to Hunt: The Masquerade Ball
6
© Endgame 2017 | 3101 Wilson Blvd, Arlington, VA 22201 | 844-357-7047
7
How to Hunt: The Masquerade Ball