This alert may not be shared outside your organization, Do Not Repost or send, place on other websites, List servers, or send to others via email, including other associations or parties. Members and Law enforcement use only. Contact us for any permissions. To do otherwise will result in the loss of membership.
Complete Story
10/30/2018
The Masquerade Ball: Train Yourself to Detect Spoofed Files
The State of Security
Masquerading is a technique used in which a file name is maliciously named something similar to one which may be trusted.
This specific technique is outlined in detail in the MITRE ATT&CK framework, as well. For example, a file named explorer.exe may seem more benign than one called explor3r.exe. However, file names may not be so easy to spot like that. Let’s go through a quick exercise and test your masquerading chops. Which of the following executables is the malicious one?
- Conhost.exe
- Explorer.exe
- Lsalso.exe
- Lsass.exe
- Rdpclip.exe
- Spoolsv.exe
- Svchost.exe
- Svhost.exe
Some of these may seem more familiar than others, such as conhost, explorer, and lsass. Others might be somewhat new to you, such as lsalso or rdpclip. The tricky part for most comes with the final three. Spoolsv is the print spooler service. Svchost is a system process used to launch Windows Services. Svhost is the malicious outlier that is trying to hide by using “sv” for service as used by the spoolsv executable rather than the expected “svc” for service as used by the proper executable.
Alerts
The FRPA alert system distinguishes us from other groups by gathering and providing information to law enforcement, retailers AND financial institutions.
more informationResources
Your electronic library to help in fighting financial fraud for all of our partners.
more information