Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.(Citation: LOLBAS Main Site)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1036 | Masquerading | |
| AC-3 | Access Enforcement | Protects | T1036 | Masquerading | |
| AC-6 | Least Privilege | Protects | T1036 | Masquerading | |
| CA-7 | Continuous Monitoring | Protects | T1036 | Masquerading | |
| CM-2 | Baseline Configuration | Protects | T1036 | Masquerading | |
| CM-6 | Configuration Settings | Protects | T1036 | Masquerading | |
| CM-7 | Least Functionality | Protects | T1036 | Masquerading | |
| IA-9 | Service Identification and Authentication | Protects | T1036 | Masquerading | |
| SI-10 | Information Input Validation | Protects | T1036 | Masquerading | |
| SI-3 | Malicious Code Protection | Protects | T1036 | Masquerading | |
| SI-4 | System Monitoring | Protects | T1036 | Masquerading | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1036 | Masquerading |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_sentinel | Azure Sentinel | technique_scores | T1036 | Masquerading |
Comments
This control provides minimal to partial coverage of a minority of this technique's sub-techniques and a minority of its procedure examples, resulting in an overall score of Minimal.
References
|
| adaptive_application_controls | Adaptive Application Controls | technique_scores | T1036 | Masquerading |
Comments
This control provides detection for some of this technique's sub-techniques and procedure examples and therefore its coverage score is Partial, resulting in a Partial score. Its detection occurs once every twelve hours, so its temporal score is also Partial.
References
|
| azure_defender_for_app_service | Azure Defender for App Service | technique_scores | T1036 | Masquerading |
Comments
This control only addresses a minority of this technique's procedure examples and one of its sub-techniques resulting in an overall Minimal score.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1036.001 | Invalid Code Signature | 5 |
| T1036.004 | Masquerade Task or Service | 1 |
| T1036.005 | Match Legitimate Name or Location | 15 |
| T1036.003 | Rename System Utilities | 8 |
| T1036.006 | Space after Filename | 1 |