T1036 Masquerading Mappings

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.(Citation: LOLBAS Main Site) Masquerading may also include the use of Proxy or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections.



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
IA-09 Service Identification and Authentication Protects T1036 Masquerading
AC-02 Account Management Protects T1036 Masquerading
AC-03 Access Enforcement Protects T1036 Masquerading
AC-06 Least Privilege Protects T1036 Masquerading
CA-07 Continuous Monitoring Protects T1036 Masquerading
CM-02 Baseline Configuration Protects T1036 Masquerading
CM-06 Configuration Settings Protects T1036 Masquerading
CM-07 Least Functionality Protects T1036 Masquerading
IA-09 Service Identification and Authentication Protects T1036 Masquerading
SI-10 Information Input Validation Protects T1036 Masquerading
SI-03 Malicious Code Protection Protects T1036 Masquerading
SI-04 System Monitoring Protects T1036 Masquerading
SI-07 Software, Firmware, and Information Integrity Protects T1036 Masquerading
EOP-Antimalware-E3 Antimalware Technique Scores T1036 Masquerading
M365-DEF-ZAP-E3 Zero Hour Auto Purge Technique Scores T1036 Masquerading
DEF-Quarantine-E3 Quarantine Policies Technique Scores T1036 Masquerading

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1036.007 Double File Extension 6
T1036.005 Match Legitimate Name or Location 12
T1036.008 Masquerade File Type 5
T1036.001 Invalid Code Signature 5
T1036.003 Rename System Utilities 8