- Tactics
- stealth
- Platforms
- Containers, ESXi, Linux, macOS, Windows
- Reference
- attack.mitre.org/techniques/T1036
Description
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.(Citation: LOLBAS Main Site)
Sub-techniques
- T1036.001 — Invalid Code Signature
- T1036.002 — Right-to-Left Override
- T1036.003 — Rename Legitimate Utilities
- T1036.004 — Masquerade Task or Service
- T1036.005 — Match Legitimate Resource Name or Location
- T1036.006 — Space after Filename
- T1036.007 — Double File Extension
- T1036.008 — Masquerade File Type
- T1036.009 — Break Process Trees
- T1036.010 — Masquerade Account Name
- T1036.011 — Overwrite Process Arguments
- T1036.012 — Browser Fingerprint
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the stealth tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1006 — Direct Volume Access
- T1014 — Rootkit
- T1027 — Obfuscated Files or Information
- T1055 — Process Injection
- T1070 — Indicator Removal
- T1078 — Valid Accounts
- T1127 — Trusted Developer Utilities Proxy Execution
- T1134 — Access Token Manipulation
- T1140 — Deobfuscate/Decode Files or Information
- T1197 — BITS Jobs
- T1202 — Indirect Command Execution
- T1205 — Traffic Signaling