T1036.005 Match Legitimate Name or Location Mappings

Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.

Adversaries may also use the same icon of the file they are trying to mimic.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1036.005 Match Legitimate Name or Location
AC-3 Access Enforcement Protects T1036.005 Match Legitimate Name or Location
AC-6 Least Privilege Protects T1036.005 Match Legitimate Name or Location
CA-7 Continuous Monitoring Protects T1036.005 Match Legitimate Name or Location
CM-2 Baseline Configuration Protects T1036.005 Match Legitimate Name or Location
CM-6 Configuration Settings Protects T1036.005 Match Legitimate Name or Location
CM-7 Least Functionality Protects T1036.005 Match Legitimate Name or Location
IA-9 Service Identification and Authentication Protects T1036.005 Match Legitimate Name or Location
SI-10 Information Input Validation Protects T1036.005 Match Legitimate Name or Location
SI-3 Malicious Code Protection Protects T1036.005 Match Legitimate Name or Location
SI-4 System Monitoring Protects T1036.005 Match Legitimate Name or Location
SI-7 Software, Firmware, and Information Integrity Protects T1036.005 Match Legitimate Name or Location
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036.005 Masquerading: Match Legitimate Name or Location