Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.[1][2] Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.
Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.[3][4]
| ID | Name | Description |
|---|---|---|
| C0034 | 2022 Ukraine Electric Power Attack |
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Systemd service units to masquerade GOGETTER malware as legitimate or seemingly legitimate services.[5] |
| G0099 | APT-C-36 |
APT-C-36 has disguised its scheduled tasks as those used by Google.[6] |
| G0050 | APT32 |
APT32 has used hidden or non-printing characters to help masquerade service names, such as appending a Unicode no-break space character to a legitimate service name. APT32 has also impersonated the legitimate Flash installer file name "install_flashplayer.exe".[7] |
| G0096 | APT41 |
APT41 has created services to appear as benign system tools.[8] |
| C0040 | APT41 DUST |
APT41 DUST disguised DUSTPAN as a legitimate Windows binary such as |
| G0143 | Aquatic Panda |
Aquatic Panda created new, malicious services using names such as |
| S0438 | Attor |
Attor's dispatcher disguises itself as a legitimate task (i.e., the task name and description appear legitimate).[11] |
| G0135 | BackdoorDiplomacy |
BackdoorDiplomacy has disguised their backdoor droppers with naming conventions designed to blend into normal operations.[12] |
| S0534 | Bazar | |
| G1002 | BITTER |
BITTER has disguised malware as a Windows Security update service.[14] |
| S1070 | Black Basta |
Black Basta has established persistence by creating a new service named |
| S0471 | build_downer |
build_downer has added itself to the Registry Run key as "NVIDIA" to appear legitimate.[18] |
| C0017 | C0017 |
During C0017, APT41 used |
| G0008 | Carbanak |
Carbanak has copied legitimate service names to use for malicious services.[20] |
| S0261 | Catchamas |
Catchamas adds a new service named NetAdapter in an apparent attempt to masquerade as a legitimate service.[21] |
| S0126 | ComRAT |
ComRAT has used a task name associated with Windows SQM Consolidator.[22] |
| S0538 | Crutch |
Crutch has established persistence with a scheduled task impersonating the Outlook item finder.[23] |
| S0527 | CSPY Downloader |
CSPY Downloader has attempted to appear as a legitimate Windows service with a fake description claiming it is used to support packed applications.[24] |
| S1033 | DCSrv |
DCSrv has masqueraded its service as a legitimate svchost.exe process.[25] |
| S1052 | DEADEYE |
DEADEYE has used |
| S1134 | DEADWOOD |
DEADWOOD will attempt to masquerade its service execution using benign-looking names such as |
| S0554 | Egregor |
Egregor has masqueraded the svchost.exe process to exfiltrate data.[27] |
| S0367 | Emotet |
Emotet has installed itself as a new service with the service name |
| S0343 | Exaramel for Windows |
The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description "Windows Check AV" in an apparent attempt to masquerade as a legitimate service.[29] |
| G1016 | FIN13 |
FIN13 has used scheduled tasks names such as |
| G0037 | FIN6 |
FIN6 has renamed the "psexec" service name to "mstdc" to masquerade as a legitimate Windows service.[31] |
| G0046 | FIN7 |
FIN7 has created a scheduled task named "AdobeFlashSync" to establish persistence.[32] |
| G0117 | Fox Kitten |
Fox Kitten has named the task for a reverse proxy lpupdate to appear legitimate.[33] |
| C0001 | Frankenstein |
During Frankenstein, the threat actors named a malicious scheduled task "WinUpdate" for persistence.[34] |
| S1044 | FunnyDream |
FunnyDream has used a service named |
| S0410 | Fysbis |
Fysbis has masqueraded as the rsyncd and dbus-inotifier services.[4] |
| S0588 | GoldMax |
GoldMax has impersonated systems management software to avoid detection.[36] |
| S0690 | Green Lambert |
Green Lambert has created a new executable named |
| S1027 | Heyoka Backdoor |
Heyoka Backdoor has been named |
| G0126 | Higaisa |
Higaisa named a shellcode loader binary |
| S0601 | Hildegard |
Hildegard has disguised itself as a known Linux process.[42] |
| S0259 | InnaputRAT |
InnaputRAT variants have attempted to appear legitimate by adding a new service named OfficeUpdateService.[43] |
| S0260 | InvisiMole |
InvisiMole has attempted to disguise itself by registering under a seemingly legitimate service name.[44] |
| S0581 | IronNetInjector |
IronNetInjector has been disguised as a legitimate service using the name PythonUpdateSrvc.[45] |
| S0607 | KillDisk |
KillDisk registers as a service under the Plug-And-Play Support name.[46] |
| G0094 | Kimsuky |
Kimsuky has disguised services to appear as benign software or related to operating system functions.[47] |
| S0356 | KONNI |
KONNI has pretended to be the xmlProv Network Provisioning service.[48] |
| C0035 | KV Botnet Activity |
KV Botnet Activity installation steps include first identifying, then stopping, any process containing |
| S0236 | Kwampirs |
Kwampirs establishes persistence by adding a new service with the display name "WMI Performance Adapter Extension" in an attempt to masquerade as a legitimate WMI service.[50] |
| G0032 | Lazarus Group |
Lazarus Group has used a scheduled task named |
| S0409 | Machete |
Machete renamed task names to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python tasks.[52] |
| G0059 | Magic Hound |
Magic Hound has named a malicious script CacheTask.bat to mimic a legitimate task.[53] |
| S0449 | Maze |
Maze operators have created scheduled tasks masquerading as "Windows Update Security", "Windows Update Security Patches", and "Google Chrome Security Update" designed to launch the ransomware.[54] |
| S0688 | Meteor |
Meteor has been disguised as the Windows Power Efficiency Diagnostics report tool.[55] |
| G0019 | Naikon |
Naikon renamed a malicious service |
| S0630 | Nebulae |
Nebulae has created a service named "Windows Update Agent1" to appear legitimate.[56] |
| S0118 | Nidiran |
Nidiran can create a new service named msamger (Microsoft Security Accounts Manager), which mimics the legitimate Microsoft database by the same name.[57][58] |
| S1090 | NightClub |
NightClub has created a service named |
| S0439 | Okrum |
Okrum can establish persistence by adding a new service NtmsSvc with the display name Removable Storage to masquerade as a legitimate Removable Storage Manager.[60] |
| S0352 | OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D uses file naming conventions with associated executable locations to blend in with the macOS TimeMachine and OpenSSL services. Such as, naming a LaunchAgent plist file |