Potential Masquerading as Communication Apps

Identifies suspicious instances of communications apps, both unsigned and renamed ones, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/05/05"
  3integration = ["endpoint", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/08/26"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies suspicious instances of communications apps, both unsigned and renamed ones, that can indicate an attempt to
 11conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Potential Masquerading as Communication Apps"
 18risk_score = 47
 19rule_id = "c9482bfa-a553-4226-8ea2-4959bd4f7923"
 20severity = "medium"
 21tags = [
 22    "Domain: Endpoint",
 23    "OS: Windows",
 24    "Use Case: Threat Detection",
 25    "Tactic: Defense Evasion",
 26    "Data Source: Elastic Defend",
 27    "Resources: Investigation Guide",
 28    "Data Source: SentinelOne",
 29    "Data Source: Elastic Endgame",
 30]
 31timestamp_override = "event.ingested"
 32type = "eql"
 33
 34query = '''
 35process where host.os.type == "windows" and
 36  event.type == "start" and
 37  (
 38    /* Slack */
 39    (process.name : "slack.exe" and not
 40      (process.code_signature.subject_name : (
 41        "Slack Technologies, Inc.",
 42        "Slack Technologies, LLC"
 43       ) and process.code_signature.trusted == true)
 44    ) or
 45
 46    /* WebEx */
 47    (process.name : "WebexHost.exe" and not
 48      (process.code_signature.subject_name : ("Cisco WebEx LLC", "Cisco Systems, Inc.") and process.code_signature.trusted == true)
 49    ) or
 50
 51    /* Teams */
 52    (process.name : "Teams.exe" and not
 53      (process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true)
 54    ) or
 55
 56    /* Discord */
 57    (process.name : "Discord.exe" and not
 58      (process.code_signature.subject_name : "Discord Inc." and process.code_signature.trusted == true)
 59    ) or
 60
 61    /* RocketChat */
 62    (process.name : "Rocket.Chat.exe" and not
 63      (process.code_signature.subject_name : "Rocket.Chat Technologies Corp." and process.code_signature.trusted == true)
 64    ) or
 65
 66    /* Mattermost */
 67    (process.name : "Mattermost.exe" and not
 68      (process.code_signature.subject_name : "Mattermost, Inc." and process.code_signature.trusted == true)
 69    ) or
 70
 71    /* WhatsApp */
 72    (process.name : "WhatsApp.exe" and not
 73      (process.code_signature.subject_name : (
 74        "WhatsApp LLC",
 75        "WhatsApp, Inc",
 76        "24803D75-212C-471A-BC57-9EF86AB91435"
 77       ) and process.code_signature.trusted == true)
 78    ) or
 79
 80    /* Zoom */
 81    (process.name : "Zoom.exe" and not
 82      (process.code_signature.subject_name : "Zoom Video Communications, Inc." and process.code_signature.trusted == true)
 83    ) or
 84
 85    /* Outlook */
 86    (process.name : "outlook.exe" and not
 87      (process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true)
 88    ) or
 89
 90    /* Thunderbird */
 91    (process.name : "thunderbird.exe" and not
 92      (process.code_signature.subject_name : "Mozilla Corporation" and process.code_signature.trusted == true)
 93    )
 94  )
 95'''
 96note = """## Triage and analysis
 97
 98> **Disclaimer**:
 99> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
100
101### Investigating Potential Masquerading as Communication Apps
102
103Communication apps are integral to modern workflows, facilitating seamless interaction. However, adversaries can exploit these apps by masquerading malicious processes as legitimate ones, bypassing security measures and deceiving users. The detection rule identifies suspicious instances by checking for unsigned or improperly signed processes, ensuring they match known trusted signatures. This helps in flagging potential threats that mimic trusted communication tools, aiding in defense evasion detection.
104
105### Possible investigation steps
106
107- Review the process name and code signature details to confirm if the process is indeed masquerading as a legitimate communication app. Check if the process name matches any of the specified apps like slack.exe, WebexHost.exe, etc., and verify the code signature subject name and trust status.
108- Investigate the origin of the executable file by checking its file path and creation date. Determine if it was recently added or modified, which might indicate suspicious activity.
109- Analyze the parent process to understand how the suspicious process was initiated. This can provide insights into whether it was launched by a legitimate application or a potentially malicious script or program.
110- Check for any network connections initiated by the suspicious process. Look for unusual or unauthorized external connections that might suggest data exfiltration or command and control communication.
111- Review recent system logs and security alerts for any related activities or anomalies that coincide with the start of the suspicious process. This can help identify if the process is part of a larger attack pattern.
112- Consult threat intelligence sources to see if there are any known indicators of compromise (IOCs) associated with the process or its hash value, which can help in assessing the threat level.
113
114### False positive analysis
115
116- Legitimate software updates or installations may temporarily result in unsigned or improperly signed processes. Users can create exceptions for known update processes to prevent false positives during these periods.
117- Custom or internally developed communication tools that mimic the names of popular apps might trigger alerts. Ensure these tools are properly signed and add them to an allowlist if they are trusted.
118- Some third-party security or monitoring tools may interact with communication apps in a way that alters their signature status. Verify the legitimacy of these tools and consider excluding them from the rule if they are deemed safe.
119- In environments where communication apps are deployed via non-standard methods, such as portable versions, ensure these versions are signed correctly or add them to an exception list if they are verified as safe.
120- Temporary network issues or system misconfigurations might cause legitimate apps to appear unsigned. Regularly audit and correct any network or system issues to minimize these occurrences.
121
122### Response and remediation
123
124- Immediately isolate the affected system from the network to prevent further spread of potential malware or unauthorized access.
125- Terminate any suspicious processes identified by the detection rule that are masquerading as communication apps, ensuring they are not legitimate processes.
126- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious files or software.
127- Review and validate the code signatures of all communication apps on the affected system to ensure they are properly signed by trusted entities.
128- Restore any compromised systems from a known good backup to ensure the integrity of the system and data.
129- Monitor network traffic and system logs for any signs of lateral movement or further attempts to exploit communication apps.
130- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
131
132
133[[rule.threat]]
134framework = "MITRE ATT&CK"
135[[rule.threat.technique]]
136id = "T1036"
137name = "Masquerading"
138reference = "https://attack.mitre.org/techniques/T1036/"
139[[rule.threat.technique.subtechnique]]
140id = "T1036.001"
141name = "Invalid Code Signature"
142reference = "https://attack.mitre.org/techniques/T1036/001/"
143
144[[rule.threat.technique.subtechnique]]
145id = "T1036.005"
146name = "Match Legitimate Resource Name or Location"
147reference = "https://attack.mitre.org/techniques/T1036/005/"
148
149
150
151[rule.threat.tactic]
152id = "TA0005"
153name = "Defense Evasion"
154reference = "https://attack.mitre.org/tactics/TA0005/"
155[[rule.threat]]
156framework = "MITRE ATT&CK"
157[[rule.threat.technique]]
158id = "T1554"
159name = "Compromise Host Software Binary"
160reference = "https://attack.mitre.org/techniques/T1554/"
161
162
163[rule.threat.tactic]
164id = "TA0003"
165name = "Persistence"
166reference = "https://attack.mitre.org/tactics/TA0003/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Potential Masquerading as Communication Apps

Communication apps are integral to modern workflows, facilitating seamless interaction. However, adversaries can exploit these apps by masquerading malicious processes as legitimate ones, bypassing security measures and deceiving users. The detection rule identifies suspicious instances by checking for unsigned or improperly signed processes, ensuring they match known trusted signatures. This helps in flagging potential threats that mimic trusted communication tools, aiding in defense evasion detection.

Possible investigation steps

  • Review the process name and code signature details to confirm if the process is indeed masquerading as a legitimate communication app. Check if the process name matches any of the specified apps like slack.exe, WebexHost.exe, etc., and verify the code signature subject name and trust status.
  • Investigate the origin of the executable file by checking its file path and creation date. Determine if it was recently added or modified, which might indicate suspicious activity.
  • Analyze the parent process to understand how the suspicious process was initiated. This can provide insights into whether it was launched by a legitimate application or a potentially malicious script or program.
  • Check for any network connections initiated by the suspicious process. Look for unusual or unauthorized external connections that might suggest data exfiltration or command and control communication.
  • Review recent system logs and security alerts for any related activities or anomalies that coincide with the start of the suspicious process. This can help identify if the process is part of a larger attack pattern.
  • Consult threat intelligence sources to see if there are any known indicators of compromise (IOCs) associated with the process or its hash value, which can help in assessing the threat level.

False positive analysis

  • Legitimate software updates or installations may temporarily result in unsigned or improperly signed processes. Users can create exceptions for known update processes to prevent false positives during these periods.
  • Custom or internally developed communication tools that mimic the names of popular apps might trigger alerts. Ensure these tools are properly signed and add them to an allowlist if they are trusted.
  • Some third-party security or monitoring tools may interact with communication apps in a way that alters their signature status. Verify the legitimacy of these tools and consider excluding them from the rule if they are deemed safe.
  • In environments where communication apps are deployed via non-standard methods, such as portable versions, ensure these versions are signed correctly or add them to an exception list if they are verified as safe.
  • Temporary network issues or system misconfigurations might cause legitimate apps to appear unsigned. Regularly audit and correct any network or system issues to minimize these occurrences.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further spread of potential malware or unauthorized access.
  • Terminate any suspicious processes identified by the detection rule that are masquerading as communication apps, ensuring they are not legitimate processes.
  • Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious files or software.
  • Review and validate the code signatures of all communication apps on the affected system to ensure they are properly signed by trusted entities.
  • Restore any compromised systems from a known good backup to ensure the integrity of the system and data.
  • Monitor network traffic and system logs for any signs of lateral movement or further attempts to exploit communication apps.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.

Related rules

to-top