Info
ID: AT-DC006.001
Technique: Masquerading
Tactic: Deepening Control
Platforms: Linux, macOS, Windows, IaaS
Defense Bypassed: Static Analysis, Signature-based Detection
Version: 1.0
Match Legitimate Name or Location
Attackers employ the "Match Legitimate Name or Location" subtechnique during the Deepening Control phase to conceal their malicious components by deliberately naming them to closely resemble legitimate system files, libraries, or services within the application environment. This subtechnique involves strategic placement of malicious code in locations that mirror authentic system directories or using naming conventions that closely mimic trusted components (such as "kerne1.dll" instead of "kernel.dll" or placing malicious scripts in recognized system paths). By leveraging users' and security tools' inherent trust in familiar names and standard locations, attackers effectively evade detection while establishing persistence. Security controls that rely on filename patterns or standard directory structures for threat detection may overlook these disguised components, allowing attackers to maintain their foothold and extend their control over the compromised application environment while appearing as legitimate system functionality.
Procedure Examples
| ID | Name | Description |
|---|---|---|
| AC-0001 | ByBit $1.5B Crypto Heist | With a stolen AWS key, the attackers over-wrote Safe {Wallet}’s production JavaScript bundle (_app- |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1022 | Restrict File and Directory Permissions | Implement strict permissions on system directories to prevent unauthorized file placement |
| M1045 | Code Signing | Implement code signing verification to identify unsigned files masquerading as legitimate components |
| M1040 | Behavior Prevention | Deploy runtime detection solutions that analyze file behavior beyond filename patterns |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0009 | Process Metadata | Alert when trusted binary names (svchost.exe, lsass.exe, nginx, etc.) run from user-writable or otherwise non-standard directories – a classic name-masquerading indicator. |
| DS0009 | Process Metadata | Analyze filenames for typosquatting and similarity to legitimate system files. |
| DS0022 | File Creation & Metadata | Detect newly written executables whose filename imitates a core system binary yet whose hash / signer is absent from the golden-image inventory. Raise priority when the file resides outside approved software-distribution paths. |
| DS0040 | Malware Repository | Submit every new or modified executable that matches a trusted filename to threat-intel/AV sandboxes; quarantine if its SHA-256, SSDEEP, or YARA signature aligns with known malware families that use masquerading. |
| CADR001 | Execution Stack Trace | CADR records the call-stack for file creation events. Raise an alert when an executable bearing a trusted system name is written by a code path not on the allow-list. Anomalous creators of legitimate-looking filenames strongly indicate masquerading or tampering. |