Potential Masquerading as Communication Apps

calendar Jan 22, 2025 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Data Source: Elastic Defend Resources: Investigation Guide  ·
Share on: linkedin copy

Identifies suspicious instances of communications apps, both unsigned and renamed ones, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/05/05"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies suspicious instances of communications apps, both unsigned and renamed ones, that can indicate an attempt to
 11conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Potential Masquerading as Communication Apps"
 18risk_score = 47
 19rule_id = "c9482bfa-a553-4226-8ea2-4959bd4f7923"
 20severity = "medium"
 21tags = [
 22    "Domain: Endpoint",
 23    "OS: Windows",
 24    "Use Case: Threat Detection",
 25    "Tactic: Defense Evasion",
 26    "Data Source: Elastic Defend",
 27    "Resources: Investigation Guide",
 28]
 29timestamp_override = "event.ingested"
 30type = "eql"
 31
 32query = '''
 33process where host.os.type == "windows" and
 34  event.type == "start" and
 35  (
 36    /* Slack */
 37    (process.name : "slack.exe" and not
 38      (process.code_signature.subject_name in (
 39        "Slack Technologies, Inc.",
 40        "Slack Technologies, LLC"
 41       ) and process.code_signature.trusted == true)
 42    ) or
 43
 44    /* WebEx */
 45    (process.name : "WebexHost.exe" and not
 46      (process.code_signature.subject_name in ("Cisco WebEx LLC", "Cisco Systems, Inc.") and process.code_signature.trusted == true)
 47    ) or
 48
 49    /* Teams */
 50    (process.name : "Teams.exe" and not
 51      (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
 52    ) or
 53
 54    /* Discord */
 55    (process.name : "Discord.exe" and not
 56      (process.code_signature.subject_name == "Discord Inc." and process.code_signature.trusted == true)
 57    ) or
 58
 59    /* RocketChat */
 60    (process.name : "Rocket.Chat.exe" and not
 61      (process.code_signature.subject_name == "Rocket.Chat Technologies Corp." and process.code_signature.trusted == true)
 62    ) or
 63
 64    /* Mattermost */
 65    (process.name : "Mattermost.exe" and not
 66      (process.code_signature.subject_name == "Mattermost, Inc." and process.code_signature.trusted == true)
 67    ) or
 68
 69    /* WhatsApp */
 70    (process.name : "WhatsApp.exe" and not
 71      (process.code_signature.subject_name in (
 72        "WhatsApp LLC",
 73        "WhatsApp, Inc",
 74        "24803D75-212C-471A-BC57-9EF86AB91435"
 75       ) and process.code_signature.trusted == true)
 76    ) or
 77
 78    /* Zoom */
 79    (process.name : "Zoom.exe" and not
 80      (process.code_signature.subject_name == "Zoom Video Communications, Inc." and process.code_signature.trusted == true)
 81    ) or
 82
 83    /* Outlook */
 84    (process.name : "outlook.exe" and not
 85      (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
 86    ) or
 87
 88    /* Thunderbird */
 89    (process.name : "thunderbird.exe" and not
 90      (process.code_signature.subject_name == "Mozilla Corporation" and process.code_signature.trusted == true)
 91    )
 92  )
 93'''
 94note = """## Triage and analysis
 95
 96> **Disclaimer**:
 97> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 98
 99### Investigating Potential Masquerading as Communication Apps
100
101Communication apps are integral to modern workflows, facilitating seamless interaction. However, adversaries can exploit these apps by masquerading malicious processes as legitimate ones, bypassing security measures and deceiving users. The detection rule identifies suspicious instances by checking for unsigned or improperly signed processes, ensuring they match known trusted signatures. This helps in flagging potential threats that mimic trusted communication tools, aiding in defense evasion detection.
102
103### Possible investigation steps
104
105- Review the process name and code signature details to confirm if the process is indeed masquerading as a legitimate communication app. Check if the process name matches any of the specified apps like slack.exe, WebexHost.exe, etc., and verify the code signature subject name and trust status.
106- Investigate the origin of the executable file by checking its file path and creation date. Determine if it was recently added or modified, which might indicate suspicious activity.
107- Analyze the parent process to understand how the suspicious process was initiated. This can provide insights into whether it was launched by a legitimate application or a potentially malicious script or program.
108- Check for any network connections initiated by the suspicious process. Look for unusual or unauthorized external connections that might suggest data exfiltration or command and control communication.
109- Review recent system logs and security alerts for any related activities or anomalies that coincide with the start of the suspicious process. This can help identify if the process is part of a larger attack pattern.
110- Consult threat intelligence sources to see if there are any known indicators of compromise (IOCs) associated with the process or its hash value, which can help in assessing the threat level.
111
112### False positive analysis
113
114- Legitimate software updates or installations may temporarily result in unsigned or improperly signed processes. Users can create exceptions for known update processes to prevent false positives during these periods.
115- Custom or internally developed communication tools that mimic the names of popular apps might trigger alerts. Ensure these tools are properly signed and add them to an allowlist if they are trusted.
116- Some third-party security or monitoring tools may interact with communication apps in a way that alters their signature status. Verify the legitimacy of these tools and consider excluding them from the rule if they are deemed safe.
117- In environments where communication apps are deployed via non-standard methods, such as portable versions, ensure these versions are signed correctly or add them to an exception list if they are verified as safe.
118- Temporary network issues or system misconfigurations might cause legitimate apps to appear unsigned. Regularly audit and correct any network or system issues to minimize these occurrences.
119
120### Response and remediation
121
122- Immediately isolate the affected system from the network to prevent further spread of potential malware or unauthorized access.
123- Terminate any suspicious processes identified by the detection rule that are masquerading as communication apps, ensuring they are not legitimate processes.
124- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious files or software.
125- Review and validate the code signatures of all communication apps on the affected system to ensure they are properly signed by trusted entities.
126- Restore any compromised systems from a known good backup to ensure the integrity of the system and data.
127- Monitor network traffic and system logs for any signs of lateral movement or further attempts to exploit communication apps.
128- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
129
130
131[[rule.threat]]
132framework = "MITRE ATT&CK"
133[[rule.threat.technique]]
134id = "T1036"
135name = "Masquerading"
136reference = "https://attack.mitre.org/techniques/T1036/"
137[[rule.threat.technique.subtechnique]]
138id = "T1036.001"
139name = "Invalid Code Signature"
140reference = "https://attack.mitre.org/techniques/T1036/001/"
141
142[[rule.threat.technique.subtechnique]]
143id = "T1036.005"
144name = "Match Legitimate Name or Location"
145reference = "https://attack.mitre.org/techniques/T1036/005/"
146
147
148
149[rule.threat.tactic]
150id = "TA0005"
151name = "Defense Evasion"
152reference = "https://attack.mitre.org/tactics/TA0005/"
153[[rule.threat]]
154framework = "MITRE ATT&CK"
155[[rule.threat.technique]]
156id = "T1554"
157name = "Compromise Host Software Binary"
158reference = "https://attack.mitre.org/techniques/T1554/"
159
160
161[rule.threat.tactic]
162id = "TA0003"
163name = "Persistence"
164reference = "https://attack.mitre.org/tactics/TA0003/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Potential Masquerading as Communication Apps

Communication apps are integral to modern workflows, facilitating seamless interaction. However, adversaries can exploit these apps by masquerading malicious processes as legitimate ones, bypassing security measures and deceiving users. The detection rule identifies suspicious instances by checking for unsigned or improperly signed processes, ensuring they match known trusted signatures. This helps in flagging potential threats that mimic trusted communication tools, aiding in defense evasion detection.

Possible investigation steps

  • Review the process name and code signature details to confirm if the process is indeed masquerading as a legitimate communication app. Check if the process name matches any of the specified apps like slack.exe, WebexHost.exe, etc., and verify the code signature subject name and trust status.
  • Investigate the origin of the executable file by checking its file path and creation date. Determine if it was recently added or modified, which might indicate suspicious activity.
  • Analyze the parent process to understand how the suspicious process was initiated. This can provide insights into whether it was launched by a legitimate application or a potentially malicious script or program.
  • Check for any network connections initiated by the suspicious process. Look for unusual or unauthorized external connections that might suggest data exfiltration or command and control communication.
  • Review recent system logs and security alerts for any related activities or anomalies that coincide with the start of the suspicious process. This can help identify if the process is part of a larger attack pattern.
  • Consult threat intelligence sources to see if there are any known indicators of compromise (IOCs) associated with the process or its hash value, which can help in assessing the threat level.

False positive analysis

  • Legitimate software updates or installations may temporarily result in unsigned or improperly signed processes. Users can create exceptions for known update processes to prevent false positives during these periods.
  • Custom or internally developed communication tools that mimic the names of popular apps might trigger alerts. Ensure these tools are properly signed and add them to an allowlist if they are trusted.
  • Some third-party security or monitoring tools may interact with communication apps in a way that alters their signature status. Verify the legitimacy of these tools and consider excluding them from the rule if they are deemed safe.
  • In environments where communication apps are deployed via non-standard methods, such as portable versions, ensure these versions are signed correctly or add them to an exception list if they are verified as safe.
  • Temporary network issues or system misconfigurations might cause legitimate apps to appear unsigned. Regularly audit and correct any network or system issues to minimize these occurrences.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further spread of potential malware or unauthorized access.
  • Terminate any suspicious processes identified by the detection rule that are masquerading as communication apps, ensuring they are not legitimate processes.
  • Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious files or software.
  • Review and validate the code signatures of all communication apps on the affected system to ensure they are properly signed by trusted entities.
  • Restore any compromised systems from a known good backup to ensure the integrity of the system and data.
  • Monitor network traffic and system logs for any signs of lateral movement or further attempts to exploit communication apps.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.

Related rules

to-top