Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.(Citation: LOLBAS Main Site)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-13 | Uniquely Identifiable Users | mitigates | T1036 | Masquerading |
Comments
This control requires both CSP and CSC to independently assign unique, cryptographically secure identifiers to users, ensure traceability and accountability for all access, including shared accounts, implement strong access controls, encryption for user identity data.
These techniques focus on mitigating attacker techniques against user services or machine accounts within cloud environments or identity management system.
References
|
| UEM-09 | Anti-Malware Detection and Prevention | mitigates | T1036 | Masquerading |
Comments
This control describes the implementation of endpoint security, including anti-malware software, to mitigate the risk of exploitation by threat actors. The implementation guidance provides several examples of that the technical measures under Anti-Malware should aid with preventing which include:
Scan installed software and system data content to identify and remove unauthorized code/software.
Prohibit the use of installation of unauthorized software.
Restricting on obtaining malicious data and software from external networks.
Endpoint removable media management.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1036.010 | Masquerade Account Name | 1 |