Potential Masquerading as Business App Installer

  1[metadata]
  2creation_date = "2023/09/01"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/08/26"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies executables with names resembling legitimate business applications but lacking signatures from the original
 11developer. Attackers may trick users into downloading malicious executables that masquerade as legitimate applications
 12via malicious ads, forum posts, and tutorials, effectively gaining initial access.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.process-*", "endgame-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Potential Masquerading as Business App Installer"
 19references = [
 20    "https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers",
 21]
 22risk_score = 21
 23rule_id = "feafdc51-c575-4ed2-89dd-8e20badc2d6c"
 24severity = "low"
 25tags = [
 26    "Domain: Endpoint",
 27    "Data Source: Elastic Defend",
 28    "OS: Windows",
 29    "Use Case: Threat Detection",
 30    "Tactic: Defense Evasion",
 31    "Tactic: Initial Access",
 32    "Tactic: Execution",
 33    "Resources: Investigation Guide",
 34    "Data Source: Elastic Endgame",
 35]
 36timestamp_override = "event.ingested"
 37type = "eql"
 38
 39query = '''
 40process where host.os.type == "windows" and
 41  event.type == "start" and process.executable : "?:\\Users\\*\\Downloads\\*" and
 42  not process.code_signature.status : ("errorCode_endpoint*", "errorUntrustedRoot", "errorChaining") and
 43  (
 44    /* Slack */
 45    (process.name : "*slack*.exe" and not
 46      (process.code_signature.subject_name in (
 47        "Slack Technologies, Inc.",
 48        "Slack Technologies, LLC"
 49       ) and process.code_signature.trusted == true)
 50    ) or
 51
 52    /* WebEx */
 53    (process.name : "*webex*.exe" and not
 54      (process.code_signature.subject_name in ("Cisco WebEx LLC", "Cisco Systems, Inc.") and process.code_signature.trusted == true)
 55    ) or
 56
 57    /* Teams */
 58    (process.name : "teams*.exe" and not
 59      (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
 60    ) or
 61
 62    /* Discord */
 63    (process.name : "*discord*.exe" and not
 64      (process.code_signature.subject_name == "Discord Inc." and process.code_signature.trusted == true)
 65    ) or
 66
 67    /* WhatsApp */
 68    (process.name : "*whatsapp*.exe" and not
 69      (process.code_signature.subject_name in (
 70        "WhatsApp LLC",
 71        "WhatsApp, Inc",
 72        "24803D75-212C-471A-BC57-9EF86AB91435"
 73       ) and process.code_signature.trusted == true)
 74    ) or
 75
 76    /* Zoom */
 77    (process.name : ("*zoom*installer*.exe", "*zoom*setup*.exe", "zoom.exe")  and not
 78      (process.code_signature.subject_name == "Zoom Video Communications, Inc." and process.code_signature.trusted == true)
 79    ) or
 80
 81    /* Outlook */
 82    (process.name : "*outlook*.exe" and not
 83      (
 84        (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) or
 85        (
 86          process.name: "MSOutlookHelp-PST-Viewer.exe" and process.code_signature.subject_name == "Aryson Technologies Pvt. Ltd" and
 87          process.code_signature.trusted == true
 88        )
 89      )
 90    ) or
 91
 92    /* Thunderbird */
 93    (process.name : "*thunderbird*.exe" and not
 94      (process.code_signature.subject_name == "Mozilla Corporation" and process.code_signature.trusted == true)
 95    ) or
 96
 97    /* Grammarly */
 98    (process.name : "*grammarly*.exe" and not
 99      (process.code_signature.subject_name == "Grammarly, Inc." and process.code_signature.trusted == true)
100    ) or
101
102    /* Dropbox */
103    (process.name : "*dropbox*.exe" and not
104      (process.code_signature.subject_name == "Dropbox, Inc" and process.code_signature.trusted == true)
105    ) or
106
107    /* Tableau */
108    (process.name : "*tableau*.exe" and not
109      (process.code_signature.subject_name == "Tableau Software LLC" and process.code_signature.trusted == true)
110    ) or
111
112    /* Google Drive */
113    (process.name : "*googledrive*.exe" and not
114      (process.code_signature.subject_name == "Google LLC" and process.code_signature.trusted == true)
115    ) or
116
117    /* MSOffice */
118    (process.name : "*office*setup*.exe" and not
119      (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
120    ) or
121
122    /* Okta */
123    (process.name : "*okta*.exe" and not
124      (process.code_signature.subject_name == "Okta, Inc." and process.code_signature.trusted == true)
125    ) or
126
127    /* OneDrive */
128    (process.name : "*onedrive*.exe" and not
129      (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
130    ) or
131
132    /* Chrome */
133    (process.name : "*chrome*.exe" and not
134      (process.code_signature.subject_name in ("Google LLC", "Google Inc") and process.code_signature.trusted == true)
135    ) or
136
137    /* Firefox */
138    (process.name : "*firefox*.exe" and not
139      (process.code_signature.subject_name == "Mozilla Corporation" and process.code_signature.trusted == true)
140    ) or
141
142    /* Edge */
143    (process.name : ("*microsoftedge*.exe", "*msedge*.exe") and not
144      (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
145    ) or
146
147    /* Brave */
148    (process.name : "*brave*.exe" and not
149      (process.code_signature.subject_name == "Brave Software, Inc." and process.code_signature.trusted == true)
150    ) or
151
152    /* GoogleCloud Related Tools */
153    (process.name : "*GoogleCloud*.exe" and not
154      (process.code_signature.subject_name == "Google LLC" and process.code_signature.trusted == true)
155    ) or
156
157    /* Github Related Tools */
158    (process.name : "*github*.exe" and not
159      (process.code_signature.subject_name == "GitHub, Inc." and process.code_signature.trusted == true)
160    ) or
161
162    /* Notion */
163    (process.name : "*notion*.exe" and not
164      (process.code_signature.subject_name == "Notion Labs, Inc." and process.code_signature.trusted == true)
165    )
166  )
167'''
168note = """## Triage and analysis
169
170> **Disclaimer**:
171> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
172
173### Investigating Potential Masquerading as Business App Installer
174
175Business applications are integral to productivity, often downloaded and installed by users. Adversaries exploit this by creating malicious executables with names mimicking legitimate apps, tricking users into installing them. The detection rule identifies such threats by checking for unsigned executables in download directories, ensuring they don't masquerade as trusted applications.
176
177### Possible investigation steps
178
179- Review the process name and executable path to confirm if it matches any known legitimate business application names listed in the rule, such as Slack, WebEx, or Teams, and verify if it was executed from a typical download directory.
180- Check the process code signature status and subject name to determine if the executable is unsigned or signed by an untrusted entity, which could indicate a masquerading attempt.
181- Investigate the source of the download by examining browser history, email attachments, or any recent file transfers to identify potential phishing attempts or malicious download sources.
182- Analyze the process execution context, including parent processes and command-line arguments, to understand how the executable was launched and if it aligns with typical user behavior.
183- Look for any network connections initiated by the process to identify suspicious outbound traffic or connections to known malicious IP addresses or domains.
184- Cross-reference the executable's hash with threat intelligence databases to check for known malware signatures or previous reports of malicious activity.
185- If the executable is determined to be suspicious, isolate the affected system and perform a full malware scan to prevent further compromise.
186
187### False positive analysis
188
189- Unsigned executables from legitimate developers may trigger alerts if they are not properly signed or if the signature is not recognized. Users can create exceptions for specific executables by verifying the developer's authenticity and adding them to a trusted list.
190- Custom or in-house developed applications that mimic business app names but are unsigned can cause false positives. Organizations should ensure these applications are signed with a trusted certificate or add them to an exclusion list after verifying their safety.
191- Software updates or beta versions of legitimate applications might not have updated signatures, leading to false positives. Users should verify the source of the update and, if legitimate, temporarily exclude these versions from the rule.
192- Applications installed in non-standard directories that match the naming patterns but are legitimate can be excluded by specifying trusted paths or directories in the rule configuration.
193- Third-party tools or utilities that integrate with business applications and use similar naming conventions might be flagged. Users should verify these tools and, if safe, add them to an exception list to prevent future alerts.
194
195### Response and remediation
196
197- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity.
198- Terminate the suspicious process identified by the alert to stop any ongoing malicious actions.
199- Quarantine the executable file flagged by the detection rule to prevent execution and further analysis.
200- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or remnants.
201- Review and analyze the process execution logs and any related network activity to understand the scope of the intrusion and identify any other potentially compromised systems.
202- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
203- Implement application whitelisting to prevent unauthorized executables from running, ensuring only trusted and signed applications are allowed to execute."""
204
205
206[[rule.threat]]
207framework = "MITRE ATT&CK"
208[[rule.threat.technique]]
209id = "T1036"
210name = "Masquerading"
211reference = "https://attack.mitre.org/techniques/T1036/"
212[[rule.threat.technique.subtechnique]]
213id = "T1036.001"
214name = "Invalid Code Signature"
215reference = "https://attack.mitre.org/techniques/T1036/001/"
216
217[[rule.threat.technique.subtechnique]]
218id = "T1036.005"
219name = "Match Legitimate Resource Name or Location"
220reference = "https://attack.mitre.org/techniques/T1036/005/"
221
222
223
224[rule.threat.tactic]
225id = "TA0005"
226name = "Defense Evasion"
227reference = "https://attack.mitre.org/tactics/TA0005/"
228[[rule.threat]]
229framework = "MITRE ATT&CK"
230[[rule.threat.technique]]
231id = "T1189"
232name = "Drive-by Compromise"
233reference = "https://attack.mitre.org/techniques/T1189/"
234
235
236[rule.threat.tactic]
237id = "TA0001"
238name = "Initial Access"
239reference = "https://attack.mitre.org/tactics/TA0001/"
240[[rule.threat]]
241framework = "MITRE ATT&CK"
242[[rule.threat.technique]]
243id = "T1204"
244name = "User Execution"
245reference = "https://attack.mitre.org/techniques/T1204/"
246[[rule.threat.technique.subtechnique]]
247id = "T1204.002"
248name = "Malicious File"
249reference = "https://attack.mitre.org/techniques/T1204/002/"
250
251
252
253[rule.threat.tactic]
254id = "TA0002"
255name = "Execution"
256reference = "https://attack.mitre.org/tactics/TA0002/"