Potential Masquerading as Business App Installer

Identifies executables with names resembling legitimate business applications but lacking signatures from the original developer. Attackers may trick users into downloading malicious executables that masquerade as legitimate applications via malicious ads, forum posts, and tutorials, effectively gaining initial access.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/09/01"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies executables with names resembling legitimate business applications but lacking signatures from the original
 11developer. Attackers may trick users into downloading malicious executables that masquerade as legitimate applications
 12via malicious ads, forum posts, and tutorials, effectively gaining initial access.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.process-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Potential Masquerading as Business App Installer"
 19references = [
 20    "https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers",
 21]
 22risk_score = 21
 23rule_id = "feafdc51-c575-4ed2-89dd-8e20badc2d6c"
 24severity = "low"
 25tags = [
 26    "Domain: Endpoint",
 27    "Data Source: Elastic Defend",
 28    "OS: Windows",
 29    "Use Case: Threat Detection",
 30    "Tactic: Defense Evasion",
 31    "Tactic: Initial Access",
 32    "Tactic: Execution",
 33    "Resources: Investigation Guide",
 34]
 35timestamp_override = "event.ingested"
 36type = "eql"
 37
 38query = '''
 39process where host.os.type == "windows" and
 40  event.type == "start" and process.executable : "?:\\Users\\*\\Downloads\\*" and
 41  not process.code_signature.status : ("errorCode_endpoint*", "errorUntrustedRoot", "errorChaining") and
 42  (
 43    /* Slack */
 44    (process.name : "*slack*.exe" and not
 45      (process.code_signature.subject_name in (
 46        "Slack Technologies, Inc.",
 47        "Slack Technologies, LLC"
 48       ) and process.code_signature.trusted == true)
 49    ) or
 50
 51    /* WebEx */
 52    (process.name : "*webex*.exe" and not
 53      (process.code_signature.subject_name in ("Cisco WebEx LLC", "Cisco Systems, Inc.") and process.code_signature.trusted == true)
 54    ) or
 55
 56    /* Teams */
 57    (process.name : "teams*.exe" and not
 58      (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
 59    ) or
 60
 61    /* Discord */
 62    (process.name : "*discord*.exe" and not
 63      (process.code_signature.subject_name == "Discord Inc." and process.code_signature.trusted == true)
 64    ) or
 65
 66    /* WhatsApp */
 67    (process.name : "*whatsapp*.exe" and not
 68      (process.code_signature.subject_name in (
 69        "WhatsApp LLC",
 70        "WhatsApp, Inc",
 71        "24803D75-212C-471A-BC57-9EF86AB91435"
 72       ) and process.code_signature.trusted == true)
 73    ) or
 74
 75    /* Zoom */
 76    (process.name : ("*zoom*installer*.exe", "*zoom*setup*.exe", "zoom.exe")  and not
 77      (process.code_signature.subject_name == "Zoom Video Communications, Inc." and process.code_signature.trusted == true)
 78    ) or
 79
 80    /* Outlook */
 81    (process.name : "*outlook*.exe" and not
 82      (
 83        (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) or
 84        (
 85          process.name: "MSOutlookHelp-PST-Viewer.exe" and process.code_signature.subject_name == "Aryson Technologies Pvt. Ltd" and
 86          process.code_signature.trusted == true
 87        )
 88      )
 89    ) or
 90
 91    /* Thunderbird */
 92    (process.name : "*thunderbird*.exe" and not
 93      (process.code_signature.subject_name == "Mozilla Corporation" and process.code_signature.trusted == true)
 94    ) or
 95
 96    /* Grammarly */
 97    (process.name : "*grammarly*.exe" and not
 98      (process.code_signature.subject_name == "Grammarly, Inc." and process.code_signature.trusted == true)
 99    ) or
100
101    /* Dropbox */
102    (process.name : "*dropbox*.exe" and not
103      (process.code_signature.subject_name == "Dropbox, Inc" and process.code_signature.trusted == true)
104    ) or
105
106    /* Tableau */
107    (process.name : "*tableau*.exe" and not
108      (process.code_signature.subject_name == "Tableau Software LLC" and process.code_signature.trusted == true)
109    ) or
110
111    /* Google Drive */
112    (process.name : "*googledrive*.exe" and not
113      (process.code_signature.subject_name == "Google LLC" and process.code_signature.trusted == true)
114    ) or
115
116    /* MSOffice */
117    (process.name : "*office*setup*.exe" and not
118      (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
119    ) or
120
121    /* Okta */
122    (process.name : "*okta*.exe" and not
123      (process.code_signature.subject_name == "Okta, Inc." and process.code_signature.trusted == true)
124    ) or
125
126    /* OneDrive */
127    (process.name : "*onedrive*.exe" and not
128      (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
129    ) or
130
131    /* Chrome */
132    (process.name : "*chrome*.exe" and not
133      (process.code_signature.subject_name in ("Google LLC", "Google Inc") and process.code_signature.trusted == true)
134    ) or
135
136    /* Firefox */
137    (process.name : "*firefox*.exe" and not
138      (process.code_signature.subject_name == "Mozilla Corporation" and process.code_signature.trusted == true)
139    ) or
140
141    /* Edge */
142    (process.name : ("*microsoftedge*.exe", "*msedge*.exe") and not
143      (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
144    ) or
145
146    /* Brave */
147    (process.name : "*brave*.exe" and not
148      (process.code_signature.subject_name == "Brave Software, Inc." and process.code_signature.trusted == true)
149    ) or
150
151    /* GoogleCloud Related Tools */
152    (process.name : "*GoogleCloud*.exe" and not
153      (process.code_signature.subject_name == "Google LLC" and process.code_signature.trusted == true)
154    ) or
155
156    /* Github Related Tools */
157    (process.name : "*github*.exe" and not
158      (process.code_signature.subject_name == "GitHub, Inc." and process.code_signature.trusted == true)
159    ) or
160
161    /* Notion */
162    (process.name : "*notion*.exe" and not
163      (process.code_signature.subject_name == "Notion Labs, Inc." and process.code_signature.trusted == true)
164    )
165  )
166'''
167note = """## Triage and analysis
168
169> **Disclaimer**:
170> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
171
172### Investigating Potential Masquerading as Business App Installer
173
174Business applications are integral to productivity, often downloaded and installed by users. Adversaries exploit this by creating malicious executables with names mimicking legitimate apps, tricking users into installing them. The detection rule identifies such threats by checking for unsigned executables in download directories, ensuring they don't masquerade as trusted applications.
175
176### Possible investigation steps
177
178- Review the process name and executable path to confirm if it matches any known legitimate business application names listed in the rule, such as Slack, WebEx, or Teams, and verify if it was executed from a typical download directory.
179- Check the process code signature status and subject name to determine if the executable is unsigned or signed by an untrusted entity, which could indicate a masquerading attempt.
180- Investigate the source of the download by examining browser history, email attachments, or any recent file transfers to identify potential phishing attempts or malicious download sources.
181- Analyze the process execution context, including parent processes and command-line arguments, to understand how the executable was launched and if it aligns with typical user behavior.
182- Look for any network connections initiated by the process to identify suspicious outbound traffic or connections to known malicious IP addresses or domains.
183- Cross-reference the executable's hash with threat intelligence databases to check for known malware signatures or previous reports of malicious activity.
184- If the executable is determined to be suspicious, isolate the affected system and perform a full malware scan to prevent further compromise.
185
186### False positive analysis
187
188- Unsigned executables from legitimate developers may trigger alerts if they are not properly signed or if the signature is not recognized. Users can create exceptions for specific executables by verifying the developer's authenticity and adding them to a trusted list.
189- Custom or in-house developed applications that mimic business app names but are unsigned can cause false positives. Organizations should ensure these applications are signed with a trusted certificate or add them to an exclusion list after verifying their safety.
190- Software updates or beta versions of legitimate applications might not have updated signatures, leading to false positives. Users should verify the source of the update and, if legitimate, temporarily exclude these versions from the rule.
191- Applications installed in non-standard directories that match the naming patterns but are legitimate can be excluded by specifying trusted paths or directories in the rule configuration.
192- Third-party tools or utilities that integrate with business applications and use similar naming conventions might be flagged. Users should verify these tools and, if safe, add them to an exception list to prevent future alerts.
193
194### Response and remediation
195
196- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity.
197- Terminate the suspicious process identified by the alert to stop any ongoing malicious actions.
198- Quarantine the executable file flagged by the detection rule to prevent execution and further analysis.
199- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or remnants.
200- Review and analyze the process execution logs and any related network activity to understand the scope of the intrusion and identify any other potentially compromised systems.
201- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
202- Implement application whitelisting to prevent unauthorized executables from running, ensuring only trusted and signed applications are allowed to execute."""
203
204
205[[rule.threat]]
206framework = "MITRE ATT&CK"
207[[rule.threat.technique]]
208id = "T1036"
209name = "Masquerading"
210reference = "https://attack.mitre.org/techniques/T1036/"
211[[rule.threat.technique.subtechnique]]
212id = "T1036.001"
213name = "Invalid Code Signature"
214reference = "https://attack.mitre.org/techniques/T1036/001/"
215
216[[rule.threat.technique.subtechnique]]
217id = "T1036.005"
218name = "Match Legitimate Name or Location"
219reference = "https://attack.mitre.org/techniques/T1036/005/"
220
221
222
223[rule.threat.tactic]
224id = "TA0005"
225name = "Defense Evasion"
226reference = "https://attack.mitre.org/tactics/TA0005/"
227[[rule.threat]]
228framework = "MITRE ATT&CK"
229[[rule.threat.technique]]
230id = "T1189"
231name = "Drive-by Compromise"
232reference = "https://attack.mitre.org/techniques/T1189/"
233
234
235[rule.threat.tactic]
236id = "TA0001"
237name = "Initial Access"
238reference = "https://attack.mitre.org/tactics/TA0001/"
239[[rule.threat]]
240framework = "MITRE ATT&CK"
241[[rule.threat.technique]]
242id = "T1204"
243name = "User Execution"
244reference = "https://attack.mitre.org/techniques/T1204/"
245[[rule.threat.technique.subtechnique]]
246id = "T1204.002"
247name = "Malicious File"
248reference = "https://attack.mitre.org/techniques/T1204/002/"
249
250
251
252[rule.threat.tactic]
253id = "TA0002"
254name = "Execution"
255reference = "https://attack.mitre.org/tactics/TA0002/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Potential Masquerading as Business App Installer

Business applications are integral to productivity, often downloaded and installed by users. Adversaries exploit this by creating malicious executables with names mimicking legitimate apps, tricking users into installing them. The detection rule identifies such threats by checking for unsigned executables in download directories, ensuring they don't masquerade as trusted applications.

Possible investigation steps

  • Review the process name and executable path to confirm if it matches any known legitimate business application names listed in the rule, such as Slack, WebEx, or Teams, and verify if it was executed from a typical download directory.
  • Check the process code signature status and subject name to determine if the executable is unsigned or signed by an untrusted entity, which could indicate a masquerading attempt.
  • Investigate the source of the download by examining browser history, email attachments, or any recent file transfers to identify potential phishing attempts or malicious download sources.
  • Analyze the process execution context, including parent processes and command-line arguments, to understand how the executable was launched and if it aligns with typical user behavior.
  • Look for any network connections initiated by the process to identify suspicious outbound traffic or connections to known malicious IP addresses or domains.
  • Cross-reference the executable's hash with threat intelligence databases to check for known malware signatures or previous reports of malicious activity.
  • If the executable is determined to be suspicious, isolate the affected system and perform a full malware scan to prevent further compromise.

False positive analysis

  • Unsigned executables from legitimate developers may trigger alerts if they are not properly signed or if the signature is not recognized. Users can create exceptions for specific executables by verifying the developer's authenticity and adding them to a trusted list.
  • Custom or in-house developed applications that mimic business app names but are unsigned can cause false positives. Organizations should ensure these applications are signed with a trusted certificate or add them to an exclusion list after verifying their safety.
  • Software updates or beta versions of legitimate applications might not have updated signatures, leading to false positives. Users should verify the source of the update and, if legitimate, temporarily exclude these versions from the rule.
  • Applications installed in non-standard directories that match the naming patterns but are legitimate can be excluded by specifying trusted paths or directories in the rule configuration.
  • Third-party tools or utilities that integrate with business applications and use similar naming conventions might be flagged. Users should verify these tools and, if safe, add them to an exception list to prevent future alerts.

Response and remediation

  • Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity.
  • Terminate the suspicious process identified by the alert to stop any ongoing malicious actions.
  • Quarantine the executable file flagged by the detection rule to prevent execution and further analysis.
  • Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or remnants.
  • Review and analyze the process execution logs and any related network activity to understand the scope of the intrusion and identify any other potentially compromised systems.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
  • Implement application whitelisting to prevent unauthorized executables from running, ensuring only trusted and signed applications are allowed to execute.

References

Related rules

to-top