Potential Masquerading as Business App Installer

  1[metadata]
  2creation_date = "2023/09/01"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/12/17"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies executables with names resembling legitimate business applications but lacking signatures from the original
 11developer. Attackers may trick users into downloading malicious executables that masquerade as legitimate applications
 12via malicious ads, forum posts, and tutorials, effectively gaining initial access.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.process-*", "endgame-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Potential Masquerading as Business App Installer"
 19references = [
 20    "https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers",
 21]
 22risk_score = 21
 23rule_id = "feafdc51-c575-4ed2-89dd-8e20badc2d6c"
 24severity = "low"
 25tags = [
 26    "Domain: Endpoint",
 27    "Data Source: Elastic Defend",
 28    "Data Source: Elastic Endgame",
 29    "OS: Windows",
 30    "Use Case: Threat Detection",
 31    "Tactic: Defense Evasion",
 32    "Tactic: Initial Access",
 33    "Tactic: Execution",
 34    "Resources: Investigation Guide"
 35]
 36timestamp_override = "event.ingested"
 37type = "eql"
 38
 39query = '''
 40process where host.os.type == "windows" and 
 41  event.type == "start" and process.executable : "?:\\Users\\*\\Downloads\\*" and
 42  not process.code_signature.status like ("errorCode_endpoint*", "errorUntrustedRoot", "errorChaining") and process.hash.sha256 != null and 
 43  (
 44    /* Slack */
 45    (process.name : "*slack*.exe" and not
 46      (process.code_signature.subject_name in (
 47        "Slack Technologies, Inc.",
 48        "Slack Technologies, LLC"
 49       ) and process.code_signature.trusted == true)
 50    ) or
 51
 52    /* WebEx */
 53    (process.name : "*webex*.exe" and not
 54      (process.code_signature.subject_name in ("Cisco WebEx LLC", "Cisco Systems, Inc.") and process.code_signature.trusted == true)
 55    ) or
 56
 57    /* Teams */
 58    (process.name : "teams*.exe" and not
 59      (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
 60    ) or
 61
 62    /* Discord */
 63    (process.name : "*discord*.exe" and not
 64      (process.code_signature.subject_name == "Discord Inc." and process.code_signature.trusted == true)
 65    ) or
 66
 67    /* WhatsApp */
 68    (process.name : "*whatsapp*.exe" and not
 69      (process.code_signature.subject_name in (
 70        "WhatsApp LLC",
 71        "WhatsApp, Inc",
 72        "24803D75-212C-471A-BC57-9EF86AB91435",
 73        /* WhatsApp Installer - MS Store */
 74        "Microsoft Corporation"
 75       ) and process.code_signature.trusted == true)
 76    ) or
 77
 78    /* Zoom */
 79    (process.name : ("*zoom*installer*.exe", "*zoom*setup*.exe", "zoom.exe")  and not
 80      (process.code_signature.subject_name in (
 81        "Zoom Video Communications, Inc.", "Zoom Communications, Inc."
 82       ) and process.code_signature.trusted == true)
 83    ) or
 84
 85    /* Outlook */
 86    (process.name : "*outlook*.exe" and not
 87      (
 88        (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) or
 89        (
 90          process.name: "MSOutlookHelp-PST-Viewer.exe" and process.code_signature.subject_name == "Aryson Technologies Pvt. Ltd" and
 91          process.code_signature.trusted == true
 92        )
 93      )
 94    ) or
 95
 96    /* Thunderbird */
 97    (process.name : "*thunderbird*.exe" and not
 98      (process.code_signature.subject_name == "Mozilla Corporation" and process.code_signature.trusted == true)
 99    ) or
100
101    /* Grammarly */
102    (process.name : "*grammarly*.exe" and not
103      (process.code_signature.subject_name == "Grammarly, Inc." and process.code_signature.trusted == true)
104    ) or
105
106    /* Dropbox */
107    (process.name : "*dropbox*.exe" and not
108      (process.code_signature.subject_name == "Dropbox, Inc" and process.code_signature.trusted == true)
109    ) or
110
111    /* Tableau */
112    (process.name : "*tableau*.exe" and not
113      (process.code_signature.subject_name == "Tableau Software LLC" and process.code_signature.trusted == true)
114    ) or
115
116    /* Google Drive */
117    (process.name : "*googledrive*.exe" and not
118      (process.code_signature.subject_name == "Google LLC" and process.code_signature.trusted == true)
119    ) or
120
121    /* MSOffice */
122    (process.name : "*office*setup*.exe" and not
123      (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
124    ) or
125
126    /* Okta */
127    (process.name : "*okta*.exe" and not
128      (process.code_signature.subject_name == "Okta, Inc." and process.code_signature.trusted == true)
129    ) or
130
131    /* OneDrive */
132    (process.name : "*onedrive*.exe" and not
133      (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
134    ) or
135
136    /* Chrome */
137    (process.name : "*chrome*.exe" and not
138      (process.code_signature.subject_name in ("Google LLC", "Google Inc") and process.code_signature.trusted == true)
139    ) or
140
141    /* Firefox */
142    (process.name : "*firefox*.exe" and not
143      (process.code_signature.subject_name == "Mozilla Corporation" and process.code_signature.trusted == true)
144    ) or
145
146    /* Edge */
147    (process.name : ("*microsoftedge*.exe", "*msedge*.exe") and not
148      (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
149    ) or
150
151    /* Brave */
152    (process.name : "*brave*.exe" and not
153      (process.code_signature.subject_name == "Brave Software, Inc." and process.code_signature.trusted == true)
154    ) or
155
156    /* GoogleCloud Related Tools */
157    (process.name : "*GoogleCloud*.exe" and not
158      (process.code_signature.subject_name == "Google LLC" and process.code_signature.trusted == true)
159    ) or
160
161    /* Github Related Tools */
162    (process.name : "*github*.exe" and not
163      (process.code_signature.subject_name == "GitHub, Inc." and process.code_signature.trusted == true)
164    ) or
165
166    /* Notion */
167    (process.name : "*notion*.exe" and not
168      (process.code_signature.subject_name == "Notion Labs, Inc." and process.code_signature.trusted == true)
169    )
170  )
171'''
172note = """## Triage and analysis
173
174> **Disclaimer**:
175> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
176
177### Investigating Potential Masquerading as Business App Installer
178
179Business applications are integral to productivity, often downloaded and installed by users. Adversaries exploit this by creating malicious executables with names mimicking legitimate apps, tricking users into installing them. The detection rule identifies such threats by checking for unsigned executables in download directories, ensuring they don't masquerade as trusted applications.
180
181### Possible investigation steps
182
183- Review the process name and executable path to confirm if it matches any known legitimate business application names listed in the rule, such as Slack, WebEx, or Teams, and verify if it was executed from a typical download directory.
184- Check the process code signature status and subject name to determine if the executable is unsigned or signed by an untrusted entity, which could indicate a masquerading attempt.
185- Investigate the source of the download by examining browser history, email attachments, or any recent file transfers to identify potential phishing attempts or malicious download sources.
186- Analyze the process execution context, including parent processes and command-line arguments, to understand how the executable was launched and if it aligns with typical user behavior.
187- Look for any network connections initiated by the process to identify suspicious outbound traffic or connections to known malicious IP addresses or domains.
188- Cross-reference the executable's hash with threat intelligence databases to check for known malware signatures or previous reports of malicious activity.
189- If the executable is determined to be suspicious, isolate the affected system and perform a full malware scan to prevent further compromise.
190
191### False positive analysis
192
193- Unsigned executables from legitimate developers may trigger alerts if they are not properly signed or if the signature is not recognized. Users can create exceptions for specific executables by verifying the developer's authenticity and adding them to a trusted list.
194- Custom or in-house developed applications that mimic business app names but are unsigned can cause false positives. Organizations should ensure these applications are signed with a trusted certificate or add them to an exclusion list after verifying their safety.
195- Software updates or beta versions of legitimate applications might not have updated signatures, leading to false positives. Users should verify the source of the update and, if legitimate, temporarily exclude these versions from the rule.
196- Applications installed in non-standard directories that match the naming patterns but are legitimate can be excluded by specifying trusted paths or directories in the rule configuration.
197- Third-party tools or utilities that integrate with business applications and use similar naming conventions might be flagged. Users should verify these tools and, if safe, add them to an exception list to prevent future alerts.
198
199### Response and remediation
200
201- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity.
202- Terminate the suspicious process identified by the alert to stop any ongoing malicious actions.
203- Quarantine the executable file flagged by the detection rule to prevent execution and further analysis.
204- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or remnants.
205- Review and analyze the process execution logs and any related network activity to understand the scope of the intrusion and identify any other potentially compromised systems.
206- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
207- Implement application whitelisting to prevent unauthorized executables from running, ensuring only trusted and signed applications are allowed to execute."""
208
209
210[[rule.threat]]
211framework = "MITRE ATT&CK"
212[[rule.threat.technique]]
213id = "T1036"
214name = "Masquerading"
215reference = "https://attack.mitre.org/techniques/T1036/"
216[[rule.threat.technique.subtechnique]]
217id = "T1036.001"
218name = "Invalid Code Signature"
219reference = "https://attack.mitre.org/techniques/T1036/001/"
220
221[[rule.threat.technique.subtechnique]]
222id = "T1036.005"
223name = "Match Legitimate Resource Name or Location"
224reference = "https://attack.mitre.org/techniques/T1036/005/"
225
226
227
228[rule.threat.tactic]
229id = "TA0005"
230name = "Defense Evasion"
231reference = "https://attack.mitre.org/tactics/TA0005/"
232[[rule.threat]]
233framework = "MITRE ATT&CK"
234[[rule.threat.technique]]
235id = "T1189"
236name = "Drive-by Compromise"
237reference = "https://attack.mitre.org/techniques/T1189/"
238
239
240[rule.threat.tactic]
241id = "TA0001"
242name = "Initial Access"
243reference = "https://attack.mitre.org/tactics/TA0001/"
244[[rule.threat]]
245framework = "MITRE ATT&CK"
246[[rule.threat.technique]]
247id = "T1204"
248name = "User Execution"
249reference = "https://attack.mitre.org/techniques/T1204/"
250[[rule.threat.technique.subtechnique]]
251id = "T1204.002"
252name = "Malicious File"
253reference = "https://attack.mitre.org/techniques/T1204/002/"
254
255
256
257[rule.threat.tactic]
258id = "TA0002"
259name = "Execution"
260reference = "https://attack.mitre.org/tactics/TA0002/"