Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0117: Detection of Masqueraded Tasks or Services with Suspicious Naming and Execution

DET0117 is a detection strategy for finding tasks or services that are named to look legitimate while behaving suspiciously. For leaders, the value is pers...

EnterpriseDET0117Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0117 is a detection strategy for finding tasks or services that are named to look legitimate while behaving suspiciously. For leaders, the value is persistence and stealth validation: scheduled tasks, systemd units, and Windows services can blend into normal administration, so organizations need evidence that they can distinguish expected operational automation from masqueraded entries tied to ATT&CK technique T1036.004.

Executive priority

Prioritize this as a resilience and incident-readiness control area where Windows, Linux, or macOS task/service mechanisms are important to operations. Ask whether SOC and IR teams can quickly answer: what tasks and services exist, who created or changed them, whether their names resemble trusted components, and what they execute. This supports audit evidence, managed detection quality, and faster containment decisions during suspected stealth or persistence activity.

Technical view

The supplied ATT&CK relationship maps this strategy to Masquerade Task or Service (T1036.004), a stealth technique affecting Linux, macOS, and Windows. Because the official detection text and platforms for DET0117 are not provided, teams should validate locally against task/service inventory and execution data rather than assume ATT&CK-defined analytics. Focus on suspicious combinations: misleading or near-legitimate names, unusual descriptions, unexpected executable paths, recently created or modified tasks/services, abnormal parent/child process behavior, and task/service execution outside normal administrative patterns.

Likely telemetry

  • Scheduled task creation, modification, deletion, and execution records where available
  • Windows service creation/modification and service start events where relevant
  • systemd unit creation, modification, enablement, and start activity on Linux where relevant
  • Process execution telemetry showing the binary, command line, parent process, user, and execution path
  • File-system metadata for task/service definitions and referenced executables

Detection direction

  • Build or validate baselines of legitimate tasks and services, including expected names, descriptions, executable paths, owners, and normal execution frequency.
  • Tune for lookalike or misleading names only when paired with suspicious execution context; name similarity alone can create false positives in large enterprises.
  • Correlate task/service creation or modification with subsequent process execution to distinguish dormant configuration changes from operational risk.
  • Review administrative tooling and software deployment patterns to reduce noise from legitimate IT automation.
  • Check coverage separately across Windows services, scheduled tasks, and systemd-style service units because telemetry depth and naming conventions differ by environment.

Mitigation priorities

  • Establish authoritative inventories and ownership for business-critical tasks and services.
  • Restrict who can create or modify scheduled tasks, services, and service-unit definitions using least privilege and administrative change control.
  • Monitor and review changes to task/service definitions, especially changes that introduce new executable paths or privileged execution.
  • Harden endpoint logging and retention so IR teams can reconstruct creation, modification, and execution timelines.
  • Document approved naming conventions and deployment sources to support SOC triage and compliance evidence.
Analyst notes and limits

The official DET0117 object provides a name and relationship to T1036.004 but no official description, detection logic, tactics, or platforms. The practical guidance therefore derives from the detection strategy name and the related ATT&CK technique description: adversaries may manipulate task or service names to appear legitimate or benign. Local baselines are essential because benign administrative tasks and services commonly use similar naming patterns.

This take does not assert active exploitation, attribution, guaranteed detection coverage, or a complete analytic specification. Platform references are supported by the related T1036.004 technique, not by DET0117’s own platform field, which is unspecified. Organizations must validate telemetry availability and normal task/service behavior in their own environment.

Official MITRE ATT&CK definition

Detection of Masqueraded Tasks or Services with Suspicious Naming and Execution

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1036.004 Masquerade Task or Service Sub-technique This object detects Masquerade Task or Service.
Relationship explorer

All related ATT&CK context

detects · Technique T1036.004: Masquerade Task or Service Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
fa5a65924381f5e5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle fa5a65924381…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0117
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use