1. Home
  2. ATT&CK Techniques
  3. T1036 Masquerading

T1036 Masquerading

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.(Citation: LOLBAS Main Site)

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1036 Masquerading
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036 Masquerading
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1036 Masquerading
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1036 Masquerading
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1036 Masquerading

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1036.007 Double File Extension 1
T1036.005 Match Legitimate Resource Name or Location 1
T1036.008 Masquerade File Type 2
T1036.009 Break Process Trees 2
T1036.011 Overwrite Process Arguments 2
T1036.002 Right-to-Left Override 1
T1036.004 Masquerade Task or Service 2
T1036.012 Browser Fingerprint 1
T1036.001 Invalid Code Signature 1
T1036.003 Rename Legitimate Utilities 2
T1036.010 Masquerade Account Name 2
T1036.006 Space after Filename 1