Home
ATT&CK Techniques
T1036.005 Match Legitimate Name or Location

T1036.005 Match Legitimate Name or Location

Adversaries may match or approximate the name or location of legitimate files when naming/placing their files. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous.

Adversaries may also use the same icon of the file they are trying to mimic.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
AC-2	Account Management	Protects	T1036.005	Match Legitimate Name or Location
AC-3	Access Enforcement	Protects	T1036.005	Match Legitimate Name or Location
AC-6	Least Privilege	Protects	T1036.005	Match Legitimate Name or Location
CA-7	Continuous Monitoring	Protects	T1036.005	Match Legitimate Name or Location
CM-2	Baseline Configuration	Protects	T1036.005	Match Legitimate Name or Location
CM-6	Configuration Settings	Protects	T1036.005	Match Legitimate Name or Location
CM-7	Least Functionality	Protects	T1036.005	Match Legitimate Name or Location
IA-9	Service Identification and Authentication	Protects	T1036.005	Match Legitimate Name or Location
SI-10	Information Input Validation	Protects	T1036.005	Match Legitimate Name or Location
SI-3	Malicious Code Protection	Protects	T1036.005	Match Legitimate Name or Location
SI-4	System Monitoring	Protects	T1036.005	Match Legitimate Name or Location
SI-7	Software, Firmware, and Information Integrity	Protects	T1036.005	Match Legitimate Name or Location

Azure Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
azure_sentinel	Azure Sentinel	technique_scores	T1036.005	Match Legitimate Name or Location	Comments The Azure Sentinel Hunting "Masquerading Files" and "Rare Process Path" queries can detect an adversary attempting to make malicious activity blend in with legitimate commands and files. The Azure Sentinel Hunting "Azure DevOps Display Name Changes" query can detect potentially maliicous changes to the DevOps user display name. References
adaptive_application_controls	Adaptive Application Controls	technique_scores	T1036.005	Match Legitimate Name or Location	Comments Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Path-based masquerading may subvert path-based rules within this control, resulting in false negatives, but hash and publisher-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial. References
azure_defender_for_app_service	Azure Defender for App Service	technique_scores	T1036.005	Match Legitimate Name or Location	Comments This control analyzes host data to detect processes with suspicious names, including those named in a way that is suggestive of attacker tools that try to hide in plain sight. False positives are probable, and temporal factor is unknown. References