Potential Masquerading as Business App Installer
Identifies executables with names resembling legitimate business applications but lacking signatures from the original developer. Attackers may trick users into downloading malicious executables that masquerade as legitimate applications via malicious ads, forum posts, and tutorials, effectively gaining initial access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/01"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies executables with names resembling legitimate business applications but lacking signatures from the original
13developer. Attackers may trick users into downloading malicious executables that masquerade as legitimate applications
14via malicious ads, forum posts, and tutorials, effectively gaining initial access.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.process-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Masquerading as Business App Installer"
21references = [
22 "https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers",
23]
24risk_score = 21
25rule_id = "feafdc51-c575-4ed2-89dd-8e20badc2d6c"
26severity = "low"
27tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Tactic: Execution"]
28timestamp_override = "event.ingested"
29type = "eql"
30
31query = '''
32process where host.os.type == "windows" and
33 event.type == "start" and process.executable : "?:\\Users\\*\\Downloads\\*" and
34 not process.code_signature.status : ("errorCode_endpoint*", "errorUntrustedRoot", "errorChaining") and
35 (
36 /* Slack */
37 (process.name : "*slack*.exe" and not
38 (process.code_signature.subject_name in (
39 "Slack Technologies, Inc.",
40 "Slack Technologies, LLC"
41 ) and process.code_signature.trusted == true)
42 ) or
43
44 /* WebEx */
45 (process.name : "*webex*.exe" and not
46 (process.code_signature.subject_name in ("Cisco WebEx LLC", "Cisco Systems, Inc.") and process.code_signature.trusted == true)
47 ) or
48
49 /* Teams */
50 (process.name : "teams*.exe" and not
51 (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
52 ) or
53
54 /* Discord */
55 (process.name : "*discord*.exe" and not
56 (process.code_signature.subject_name == "Discord Inc." and process.code_signature.trusted == true)
57 ) or
58
59 /* WhatsApp */
60 (process.name : "*whatsapp*.exe" and not
61 (process.code_signature.subject_name in (
62 "WhatsApp LLC",
63 "WhatsApp, Inc",
64 "24803D75-212C-471A-BC57-9EF86AB91435"
65 ) and process.code_signature.trusted == true)
66 ) or
67
68 /* Zoom */
69 (process.name : ("*zoom*installer*.exe", "*zoom*setup*.exe", "zoom.exe") and not
70 (process.code_signature.subject_name == "Zoom Video Communications, Inc." and process.code_signature.trusted == true)
71 ) or
72
73 /* Outlook */
74 (process.name : "*outlook*.exe" and not
75 (
76 (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) or
77 (
78 process.name: "MSOutlookHelp-PST-Viewer.exe" and process.code_signature.subject_name == "Aryson Technologies Pvt. Ltd" and
79 process.code_signature.trusted == true
80 )
81 )
82 ) or
83
84 /* Thunderbird */
85 (process.name : "*thunderbird*.exe" and not
86 (process.code_signature.subject_name == "Mozilla Corporation" and process.code_signature.trusted == true)
87 ) or
88
89 /* Grammarly */
90 (process.name : "*grammarly*.exe" and not
91 (process.code_signature.subject_name == "Grammarly, Inc." and process.code_signature.trusted == true)
92 ) or
93
94 /* Dropbox */
95 (process.name : "*dropbox*.exe" and not
96 (process.code_signature.subject_name == "Dropbox, Inc" and process.code_signature.trusted == true)
97 ) or
98
99 /* Tableau */
100 (process.name : "*tableau*.exe" and not
101 (process.code_signature.subject_name == "Tableau Software LLC" and process.code_signature.trusted == true)
102 ) or
103
104 /* Google Drive */
105 (process.name : "*googledrive*.exe" and not
106 (process.code_signature.subject_name == "Google LLC" and process.code_signature.trusted == true)
107 ) or
108
109 /* MSOffice */
110 (process.name : "*office*setup*.exe" and not
111 (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
112 ) or
113
114 /* Okta */
115 (process.name : "*okta*.exe" and not
116 (process.code_signature.subject_name == "Okta, Inc." and process.code_signature.trusted == true)
117 ) or
118
119 /* OneDrive */
120 (process.name : "*onedrive*.exe" and not
121 (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
122 ) or
123
124 /* Chrome */
125 (process.name : "*chrome*.exe" and not
126 (process.code_signature.subject_name in ("Google LLC", "Google Inc") and process.code_signature.trusted == true)
127 ) or
128
129 /* Firefox */
130 (process.name : "*firefox*.exe" and not
131 (process.code_signature.subject_name == "Mozilla Corporation" and process.code_signature.trusted == true)
132 ) or
133
134 /* Edge */
135 (process.name : ("*microsoftedge*.exe", "*msedge*.exe") and not
136 (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
137 ) or
138
139 /* Brave */
140 (process.name : "*brave*.exe" and not
141 (process.code_signature.subject_name == "Brave Software, Inc." and process.code_signature.trusted == true)
142 ) or
143
144 /* GoogleCloud Related Tools */
145 (process.name : "*GoogleCloud*.exe" and not
146 (process.code_signature.subject_name == "Google LLC" and process.code_signature.trusted == true)
147 ) or
148
149 /* Github Related Tools */
150 (process.name : "*github*.exe" and not
151 (process.code_signature.subject_name == "GitHub, Inc." and process.code_signature.trusted == true)
152 ) or
153
154 /* Notion */
155 (process.name : "*notion*.exe" and not
156 (process.code_signature.subject_name == "Notion Labs, Inc." and process.code_signature.trusted == true)
157 )
158 )
159'''
160
161
162[[rule.threat]]
163framework = "MITRE ATT&CK"
164[[rule.threat.technique]]
165id = "T1036"
166name = "Masquerading"
167reference = "https://attack.mitre.org/techniques/T1036/"
168
169[[rule.threat.technique.subtechnique]]
170id = "T1036.001"
171name = "Invalid Code Signature"
172reference = "https://attack.mitre.org/techniques/T1036/001/"
173
174[[rule.threat.technique.subtechnique]]
175id = "T1036.005"
176name = "Match Legitimate Name or Location"
177reference = "https://attack.mitre.org/techniques/T1036/005/"
178
179
180[rule.threat.tactic]
181id = "TA0005"
182name = "Defense Evasion"
183reference = "https://attack.mitre.org/tactics/TA0005/"
184
185[[rule.threat]]
186framework = "MITRE ATT&CK"
187[[rule.threat.technique]]
188id = "T1189"
189name = "Drive-by Compromise"
190reference = "https://attack.mitre.org/techniques/T1189/"
191
192
193[rule.threat.tactic]
194id = "TA0001"
195name = "Initial Access"
196reference = "https://attack.mitre.org/tactics/TA0001/"
197
198[[rule.threat]]
199framework = "MITRE ATT&CK"
200[[rule.threat.technique]]
201id = "T1204"
202name = "User Execution"
203reference = "https://attack.mitre.org/techniques/T1204/"
204[[rule.threat.technique.subtechnique]]
205id = "T1204.002"
206name = "Malicious File"
207reference = "https://attack.mitre.org/techniques/T1204/002/"
208
209
210
211[rule.threat.tactic]
212id = "TA0002"
213name = "Execution"
214reference = "https://attack.mitre.org/tactics/TA0002/"
References
-
Rapid7 has observed the Fake Browser Update lure utilizing a sophisticated new loader to execute infostealers.
Read More
Related rules
- Suspicious Explorer Child Process
- Suspicious MS Office Child Process
- Suspicious MS Outlook Child Process
- Clearing Windows Console History
- Command Execution via SolarWinds Process