1. Home
  2. ATT&CK Techniques
  3. T1036.005 Match Legitimate Name or Location

T1036.005 Match Legitimate Name or Location

Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.

Adversaries may also use the same icon of the file they are trying to mimic.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.CM-09.01 Software and data integrity checking Mitigates T1036.005 Match Legitimate Name or Location
Comments
This diagnostic statement protects against Match Legitimate Name or Location through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
References
    PR.PS-01.03 Configuration deviation Mitigates T1036.005 Match Legitimate Name or Location
    Comments
    This diagnostic statement provides protection from Masquerading: Match Legitimate Name or Location through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
    References
      PR.PS-05.02 Mobile code prevention Mitigates T1036.005 Match Legitimate Name or Location
      Comments
      Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
      References

        NIST 800-53 Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        CA-07 Continuous Monitoring mitigates T1036.005 Match Legitimate Name or Location
        CM-06 Configuration Settings mitigates T1036.005 Match Legitimate Name or Location
        IA-09 Service Identification and Authentication mitigates T1036.005 Match Legitimate Name or Location
        SI-10 Information Input Validation mitigates T1036.005 Match Legitimate Name or Location
        SI-03 Malicious Code Protection mitigates T1036.005 Match Legitimate Name or Location
        SI-07 Software, Firmware, and Information Integrity mitigates T1036.005 Match Legitimate Name or Location
        CM-02 Baseline Configuration mitigates T1036.005 Match Legitimate Name or Location
        CM-07 Least Functionality mitigates T1036.005 Match Legitimate Name or Location
        SI-04 System Monitoring mitigates T1036.005 Match Legitimate Name or Location
        AC-02 Account Management mitigates T1036.005 Match Legitimate Name or Location
        AC-03 Access Enforcement mitigates T1036.005 Match Legitimate Name or Location
        AC-06 Least Privilege mitigates T1036.005 Match Legitimate Name or Location

        Known Exploited Vulnerabilities Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        CVE-2023-26360 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability secondary_impact T1036.005 Match Legitimate Name or Location
        Comments
        This vulnerability gives an adversary access through exploitation of a public-facing server.
        References
        1. https://www.cisa.gov/sites/default/files/2023-12/aa23-339a-threat-actors-exploit-adobe-coldfusion-cve-2023-26360.pdf

        Azure Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        microsoft_sentinel Microsoft Sentinel technique_scores T1036.005 Match Legitimate Name or Location
        Comments
        The Microsoft Sentinel Hunting "Masquerading Files" and "Rare Process Path" queries can detect an adversary attempting to make malicious activity blend in with legitimate commands and files. The Microsoft Sentinel Hunting "Azure DevOps Display Name Changes" query can detect potentially maliicous changes to the DevOps user display name.
        References
        1. https://learn.microsoft.com/en-us/azure/sentinel/overview
        2. https://learn.microsoft.com/en-us/azure/sentinel/hunting
        defender_for_app_service Microsoft Defender for Cloud: Defender for App Service technique_scores T1036.005 Match Legitimate Name or Location
        Comments
        This control analyzes host data to detect processes with suspicious names, including those named in a way that is suggestive of attacker tools that try to hide in plain sight. False positives are probable, and temporal factor is unknown.
        References
        1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-app-service-introduction

        GCP Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        google_secops Google Security Operations technique_scores T1036.005 Match Legitimate Name or Location
        Comments
        Google Security Operations can trigger an alert based on malware masquerading as legitimate process for example, Adobe's Acrobat Reader (e.g., re.regex($selection.target.process.file.full_path, `.*\\AcroRD32\.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/sysmon/detects_malware_acrord32_exe_execution_process.yaral
        References
        1. ['https://cloud.google.com/security/products/security-operations'
        2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
        3. 'https://github.com/chronicle/detection-rules']

        M365 Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        DEF-AACI-E3 Adaptive Application Control Integration Technique Scores T1036.005 Match Legitimate Name or Location
        Comments
        Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Path-based masquerading may subvert path-based rules within this control, resulting in false negatives, but hash and publisher-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.
        References
        1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent
        2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview
        3. https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description
        DEF-AACI-E3 Adaptive Application Control Integration Technique Scores T1036.005 Match Legitimate Name or Location
        Comments
        Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Path-based masquerading may subvert path-based rules within this control, resulting in false negatives, but hash and publisher-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.
        References
        1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent
        2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview
        3. https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description