Potential Masquerading as Business App Installer
Identifies executables with names resembling legitimate business applications but lacking signatures from the original developer. Attackers may trick users into downloading malicious executables that masquerade as legitimate applications via malicious ads, forum posts, and tutorials, effectively gaining initial access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/01"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies executables with names resembling legitimate business applications but lacking signatures from the original
11developer. Attackers may trick users into downloading malicious executables that masquerade as legitimate applications
12via malicious ads, forum posts, and tutorials, effectively gaining initial access.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.process-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Potential Masquerading as Business App Installer"
19references = [
20 "https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers",
21]
22risk_score = 21
23rule_id = "feafdc51-c575-4ed2-89dd-8e20badc2d6c"
24severity = "low"
25tags = [
26 "Domain: Endpoint",
27 "Data Source: Elastic Defend",
28 "OS: Windows",
29 "Use Case: Threat Detection",
30 "Tactic: Defense Evasion",
31 "Tactic: Initial Access",
32 "Tactic: Execution",
33]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38process where host.os.type == "windows" and
39 event.type == "start" and process.executable : "?:\\Users\\*\\Downloads\\*" and
40 not process.code_signature.status : ("errorCode_endpoint*", "errorUntrustedRoot", "errorChaining") and
41 (
42 /* Slack */
43 (process.name : "*slack*.exe" and not
44 (process.code_signature.subject_name in (
45 "Slack Technologies, Inc.",
46 "Slack Technologies, LLC"
47 ) and process.code_signature.trusted == true)
48 ) or
49
50 /* WebEx */
51 (process.name : "*webex*.exe" and not
52 (process.code_signature.subject_name in ("Cisco WebEx LLC", "Cisco Systems, Inc.") and process.code_signature.trusted == true)
53 ) or
54
55 /* Teams */
56 (process.name : "teams*.exe" and not
57 (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
58 ) or
59
60 /* Discord */
61 (process.name : "*discord*.exe" and not
62 (process.code_signature.subject_name == "Discord Inc." and process.code_signature.trusted == true)
63 ) or
64
65 /* WhatsApp */
66 (process.name : "*whatsapp*.exe" and not
67 (process.code_signature.subject_name in (
68 "WhatsApp LLC",
69 "WhatsApp, Inc",
70 "24803D75-212C-471A-BC57-9EF86AB91435"
71 ) and process.code_signature.trusted == true)
72 ) or
73
74 /* Zoom */
75 (process.name : ("*zoom*installer*.exe", "*zoom*setup*.exe", "zoom.exe") and not
76 (process.code_signature.subject_name == "Zoom Video Communications, Inc." and process.code_signature.trusted == true)
77 ) or
78
79 /* Outlook */
80 (process.name : "*outlook*.exe" and not
81 (
82 (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) or
83 (
84 process.name: "MSOutlookHelp-PST-Viewer.exe" and process.code_signature.subject_name == "Aryson Technologies Pvt. Ltd" and
85 process.code_signature.trusted == true
86 )
87 )
88 ) or
89
90 /* Thunderbird */
91 (process.name : "*thunderbird*.exe" and not
92 (process.code_signature.subject_name == "Mozilla Corporation" and process.code_signature.trusted == true)
93 ) or
94
95 /* Grammarly */
96 (process.name : "*grammarly*.exe" and not
97 (process.code_signature.subject_name == "Grammarly, Inc." and process.code_signature.trusted == true)
98 ) or
99
100 /* Dropbox */
101 (process.name : "*dropbox*.exe" and not
102 (process.code_signature.subject_name == "Dropbox, Inc" and process.code_signature.trusted == true)
103 ) or
104
105 /* Tableau */
106 (process.name : "*tableau*.exe" and not
107 (process.code_signature.subject_name == "Tableau Software LLC" and process.code_signature.trusted == true)
108 ) or
109
110 /* Google Drive */
111 (process.name : "*googledrive*.exe" and not
112 (process.code_signature.subject_name == "Google LLC" and process.code_signature.trusted == true)
113 ) or
114
115 /* MSOffice */
116 (process.name : "*office*setup*.exe" and not
117 (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
118 ) or
119
120 /* Okta */
121 (process.name : "*okta*.exe" and not
122 (process.code_signature.subject_name == "Okta, Inc." and process.code_signature.trusted == true)
123 ) or
124
125 /* OneDrive */
126 (process.name : "*onedrive*.exe" and not
127 (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
128 ) or
129
130 /* Chrome */
131 (process.name : "*chrome*.exe" and not
132 (process.code_signature.subject_name in ("Google LLC", "Google Inc") and process.code_signature.trusted == true)
133 ) or
134
135 /* Firefox */
136 (process.name : "*firefox*.exe" and not
137 (process.code_signature.subject_name == "Mozilla Corporation" and process.code_signature.trusted == true)
138 ) or
139
140 /* Edge */
141 (process.name : ("*microsoftedge*.exe", "*msedge*.exe") and not
142 (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
143 ) or
144
145 /* Brave */
146 (process.name : "*brave*.exe" and not
147 (process.code_signature.subject_name == "Brave Software, Inc." and process.code_signature.trusted == true)
148 ) or
149
150 /* GoogleCloud Related Tools */
151 (process.name : "*GoogleCloud*.exe" and not
152 (process.code_signature.subject_name == "Google LLC" and process.code_signature.trusted == true)
153 ) or
154
155 /* Github Related Tools */
156 (process.name : "*github*.exe" and not
157 (process.code_signature.subject_name == "GitHub, Inc." and process.code_signature.trusted == true)
158 ) or
159
160 /* Notion */
161 (process.name : "*notion*.exe" and not
162 (process.code_signature.subject_name == "Notion Labs, Inc." and process.code_signature.trusted == true)
163 )
164 )
165'''
166
167
168[[rule.threat]]
169framework = "MITRE ATT&CK"
170[[rule.threat.technique]]
171id = "T1036"
172name = "Masquerading"
173reference = "https://attack.mitre.org/techniques/T1036/"
174[[rule.threat.technique.subtechnique]]
175id = "T1036.001"
176name = "Invalid Code Signature"
177reference = "https://attack.mitre.org/techniques/T1036/001/"
178
179[[rule.threat.technique.subtechnique]]
180id = "T1036.005"
181name = "Match Legitimate Name or Location"
182reference = "https://attack.mitre.org/techniques/T1036/005/"
183
184
185
186[rule.threat.tactic]
187id = "TA0005"
188name = "Defense Evasion"
189reference = "https://attack.mitre.org/tactics/TA0005/"
190[[rule.threat]]
191framework = "MITRE ATT&CK"
192[[rule.threat.technique]]
193id = "T1189"
194name = "Drive-by Compromise"
195reference = "https://attack.mitre.org/techniques/T1189/"
196
197
198[rule.threat.tactic]
199id = "TA0001"
200name = "Initial Access"
201reference = "https://attack.mitre.org/tactics/TA0001/"
202[[rule.threat]]
203framework = "MITRE ATT&CK"
204[[rule.threat.technique]]
205id = "T1204"
206name = "User Execution"
207reference = "https://attack.mitre.org/techniques/T1204/"
208[[rule.threat.technique.subtechnique]]
209id = "T1204.002"
210name = "Malicious File"
211reference = "https://attack.mitre.org/techniques/T1204/002/"
212
213
214
215[rule.threat.tactic]
216id = "TA0002"
217name = "Execution"
218reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Delayed Execution via Ping
- Potential Remote File Execution via MSIEXEC
- Remote XSL Script Execution via COM
- Execution from a Removable Media with Network Connection
- Execution via Electron Child Process Node.js Module