1. Home
  2. ATT&CK Techniques
  3. T1036 Masquerading

T1036 Masquerading Mappings

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.(Citation: LOLBAS Main Site)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1036 Masquerading
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036 Masquerading
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1036 Masquerading
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1036 Masquerading
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1036 Masquerading

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1036.005 Match Legitimate Name or Location 1
T1036.008 Masquerade File Type 1
T1036.009 Break Process Trees 1
T1036.002 Right-to-Left Override 3
T1036.004 Masquerade Task or Service 1
T1036.001 Invalid Code Signature 1
T1036.003 Rename System Utilities 2
T1036.010 Masquerade Account Name 1
T1036.006 Space after Filename 1