Masquerading: Match Legitimate Name or Location

Created the Friday 10 February 2023. Updated 6 months, 2 weeks ago.

Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.

Adversaries may also use the same icon of the file they are trying to mimic.

Technique Identifier

T1036.005

Technique Tags

Defense Evasion commonly trusted directory mimic legitimate trusted program trusted namespaces trusted filenames mimic icon hidden payloads malicious shortcuts APT1 APT28 APT29 APT32 APT39 APT41

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Masquerading: Match Legitimate Name or Location, Sub-technique T1036.005 - Enterprise | MITRE ATT&CK®