Masquerading

Info

ID: AT-DC006
Tactic: Deepening Control
Sub-techniques: Break Process Trees, Match Legitimate Name or Location
Platforms: Linux, macOS, Windows, Container
Defense Bypassed: Static Analysis, Signature-based Detection, Heuristic Detection
Version: 1.0

Masquerading

Adversaries may rename files, services, or processes to resemble legitimate components, tricking defenders or automated detection into ignoring them. This could involve using benign or systemlike names for malicious binaries, or placing executables in commonly used directories with expected permissions. By closely mimicking normal environment details, attackers lower their detection profile.

Masquerading extends to container images or ephemeral app services that adopt naming conventions and metadata consistent with official builds. In environments with frequent updates, subtle differences in image tags or version numbers might go unnoticed. Over time, this technique lets malicious processes blend in, particularly if defenders rely on heuristics that trust known file paths or naming schemes.

Detection

ID	Data Source	Detection
DS0022	File: File Metadata	Identify new executables in trusted directories whose file metadata mismatches expected signatures
DS0009	Process Creation	Alert when process name matches whitelisted system binary but is executed from user-writable directory.
DS0029	Network Traffic Flow	Detect containers pulling images tagged with official repository names but non-trusted digests.
DS0040	Malware Repository	Submit hash of binaries with trusted names for reputation checks, quarantine if low rep.

Mitigations

ID	Mitigation	Description
M1045	Code Signing	Implement code signing verification to identify unsigned masqueraded files
M1040	Behavior Prevention on Endpoint	Deploy endpoint detection solutions that analyze behavior beyond naming
M1022	Restrict File and Directory Permissions	Implement strict permissions to prevent unauthorized file placement