Home  >  APT29  >  Results  >  Elastic  >  Masquerading

Technique Results: Masquerading (T1036) Technique Page Information

The ATT&CK technique page displays all procedures used to test the technique, and their respective detections. The Procedure column contains a description of how the technique was tested . The Step column is where the procedure occurred in the operational flow. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by screenshots.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     All Results JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Procedures Criteria Step
Detection Type Detection Notes
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)
Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process ‚ÄčOR the original filename (cod.3aka.scr)
1.A.2
Technique (Configuration Change (Detections), Alert)
A Technique alert detection (low severity) for "Process with Left-to-Right Encoding Character " was generated for rcs.3aka3.doc execution. [1]
Telemetry
Telemetry showed the file type .doc was an executable, and that the filename included the unicode character for RTLO. [1]
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool
Evidence that accesscheck.exe is not the legitimate Sysinternals tool
6.A.3
General (Correlated, Alert)
A General alert detection (high severity; red indicator) for "Malicious File" was generated for accesschk.exe execution. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed accesschk.exe is not a signed Microsoft binary with hash values provided. This can be used to verify it is not the legitimate Sysinternals tool. The event was correlated to a parent General detection for malicious file execution. [1]