{
	"id": "5f5169ad-eb8b-417f-9a5e-a6bd7fc51429",
	"created_at": "2026-04-06T03:37:57.588719Z",
	"updated_at": "2026-04-10T03:21:42.289084Z",
	"deleted_at": null,
	"sha1_hash": "cb26486c37eaa1a675078ebc7178e62f8ec9a45a",
	"title": "How to hunt: The masquerade ball",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43489,
	"plain_text": "How to hunt: The masquerade ball\r\nBy ByPaul Ewing\r\nPublished: 2016-10-31 · Archived: 2026-04-06 03:14:31 UTC\r\nEditor’s Note: Elastic joined forces with Endgame in October 2019, and has migrated some of the Endgame blog\r\ncontent to elastic.co. See Elastic Security to learn more about our integrated security solutions.\r\nMasquerading was once conducted by the wealthiest elite at elaborate dances, allowing them to take on the guise\r\nof someone else and hide amidst the crowd. Today, we see digital masquerading used by the most sophisticated as\r\nwell as less skilled adversaries to hide in the noise while conducting operations. We continue our series on hunting\r\nfor specific adversary techniques and get into the Halloween spirit by demonstrating how to hunt for\r\nmasquerading. So let’s start the masquerade ball and hunt for a simple but more devious defense evasion\r\ntechnique.\r\nDefense Evasion\r\nIn nature, camouflage is a time-proven, effective defensive technique which enables the hunted to evade the\r\nhunters. It shouldn’t come as any surprise that attackers have adopted this strategy for defense evasion during\r\ncyber exploitation, hiding in plain sight by resembling common filenames and paths you would expect within a\r\ntypical environment. By adopting common filenames and paths, attackers blend into and persist within\r\nenvironments, evading many defensive techniques.\r\nPart of the attacker’s tradecraft is to avoid detection. We can look to frameworks, like Mitre’s ATT\u0026CKTM, to\r\nguide us through the adversary lifecycle. We’ve shown how it’s useful for hunting for persistence (as our COM\r\nhijacking post demonstrated) and it also covers the broad range of attacker techniques, including defense evasion.\r\nDLL search order hijacking, UAC bypassing, and time stomping are all effective for defense evasion, as is the one\r\nwe will discuss today - masquerading.\r\nAttackers use these defense evasion techniques to blend in, making them easy to miss when hunting, especially\r\nwhen dealing with huge amounts of data from thousands of hosts. Let’s start with some DIY methods to hunt for\r\nmasquerading, which require an inspection of persistent or running process file names or paths.\r\nThe Masquerading Approach\r\nWe previously explored hunting for uncommon filepaths, which is a simple approach for detecting suspicious\r\nfiles. We can expand on this method by understanding masquerading. Let’s focus on two different masquerading\r\ntechniques:\r\n1. Filename masquerading where legitimate Windows filenames appear in a non-conventional location.\r\n2. Filename mismatching where filenames on disk differ from those in the resource section of the compiled\r\nbinary.\r\nhttps://www.elastic.co/blog/how-hunt-masquerade-ball\r\nPage 1 of 3\n\nFilename Masquerading\r\nFor filename masquerading, you need to first build the list of files which have masquerade potential. We’ll call\r\nthat the anchor list. A good approach is installing a clean base image representative of your environment (a fresh\r\ninstall of Windows will do). Next, you need to choose which files you care about. Like most things, there is a lazy\r\napproach and an approach that takes a little more effort, but will probably give you more meaningful results with\r\nless noise. To build your anchor list the lazy way, simply enumerate all files in C:\\Windows including the filename\r\nand path and use that as your anchor list.\r\nHowever, there are a huge number of filenames in this list, and you should ask yourself questions about the\r\nlikelihood of an adversarial masquerade before putting it in the anchor list. After all, it isn’t much of a masquerade\r\nif the legitimate filename seen in a process list or anywhere else might cause someone to question its legitimacy,\r\neven if it’s a system file, such as NetCfgNotifyObjectHost.exe. So, put in a bit more work and make a custom list\r\nof native Windows files, such as svchost, lsass, winnit, smss, and logonui, which show up constantly and are\r\nlikely to be passed over if an experienced but rushed investigator is inspecting the name. It is also a good idea for\r\nthe anchor list to include names for other common applications you expect to find in your environment, such as\r\nreader_sl.exe, winword.exe, and more.\r\nOnce the anchor list is compiled, you can start using it during your hunt operations. List the running processes,\r\npersistent files, or some other file-backed artifact you’re interested in. Compare those names to the anchor list. Do\r\nthe filenames match? There will be many matches. What about the filepaths? If not, you know where to target\r\nyour hunt. There are legitimate reasons for this happening (users do unexpected things), but locating this simple\r\ndefensive evasion technique is a good way to find intrusions.\r\nWe’d also recommend some additional triage of results before calling this a legitimate detection and embarking on\r\nan incident response. Easy things to do include checking hashes against the masquerade target in the anchor list. If\r\nit’s a match, it’s probably a false alarm, and check the signer information for the file as we discussed in the\r\nprevious post. Be sure to avoid being too trustworthy of the name on the cert, as actors sometimes can get code\r\nsigning certs that look similar to something legitimate...but that’s a topic for another day.\r\nIf you find this approach worthwhile, you will have to keep your anchor list updated. Software changes and if you\r\ndon’t change with it, you’ll have gaps in your analysis.\r\nFilename Mismatch\r\nWhy stop at simply comparing files to your anchor list when more can be done? In this bonus masquerading\r\napproach, let’s look at filenames on disk and from the resource section of the binary. There’s a wealth of additional\r\ninformation here, including the MS Version info. As they note, it includes the original name of the file, but does\r\nnot include a path. This can inform you whether the file has been renamed by a user.\r\nObviously, if the filename on disk doesn’t match the original file name, there are generally two possibilities: either\r\nthe user renamed it, or maybe someone brought a tool with them, but doesn’t want you to know. Let’s take DLL\r\nimplants for example. Many APT groups have brought rundll32 with them, as opposed to using the native\r\nWindows version. APT groups aren’t the only ones masquerading. Everyone does this!\r\nhttps://www.elastic.co/blog/how-hunt-masquerade-ball\r\nPage 2 of 3\n\nEndgame @ the Masquerade Ball\r\nCrafting your own anchor list, regularly updating it, and manually comparing the list to your hunt data or adding\r\nthis analytic to your bag of post-processing scripts may work for some, but it calls for routine grooming. Let’s take\r\na look at how easy it is to hunt for masquerading using Endgame, where we provide this as one of the many one-click automations in the platform.\r\nConclusion\r\nWhom amongst us doesn’t love to use Halloween as an excuse to masquerade as someone, or something, else?\r\nUnfortunately, adversaries embrace this mentality year round, hiding in plain sight, actively evading detection, and\r\ntrying to blend in. Clever use of masquerading within filenames can make their activities difficult to detect. While\r\nthere are manual means to detect mismatches and masquerading, this can be time intensive and may not scale well\r\nto larger environments. Thanks to Endgame’s advanced detection capabilities, in a few clicks we are able to\r\nquickly catch those masqueraders, remediate the intrusion early, and get back to the ball.\r\nSource: https://www.elastic.co/blog/how-hunt-masquerade-ball\r\nhttps://www.elastic.co/blog/how-hunt-masquerade-ball\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.elastic.co/blog/how-hunt-masquerade-ball"
	],
	"report_names": [
		"how-hunt-masquerade-ball"
	],
	"threat_actors": [],
	"ts_created_at": 1775446677,
	"ts_updated_at": 1775791302,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cb26486c37eaa1a675078ebc7178e62f8ec9a45a.pdf",
		"text": "https://archive.orkl.eu/cb26486c37eaa1a675078ebc7178e62f8ec9a45a.txt",
		"img": "https://archive.orkl.eu/cb26486c37eaa1a675078ebc7178e62f8ec9a45a.jpg"
	}
}