T1036.005 Match Legitimate Name or Location Mappings

Adversaries may match or approximate the name or location of legitimate files when naming/placing their files. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous.

Adversaries may also use the same icon of the file they are trying to mimic.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1036.005 Match Legitimate Name or Location
AC-3 Access Enforcement Protects T1036.005 Match Legitimate Name or Location
AC-6 Least Privilege Protects T1036.005 Match Legitimate Name or Location
CA-7 Continuous Monitoring Protects T1036.005 Match Legitimate Name or Location
CM-2 Baseline Configuration Protects T1036.005 Match Legitimate Name or Location
CM-6 Configuration Settings Protects T1036.005 Match Legitimate Name or Location
CM-7 Least Functionality Protects T1036.005 Match Legitimate Name or Location
IA-9 Service Identification and Authentication Protects T1036.005 Match Legitimate Name or Location
SI-10 Information Input Validation Protects T1036.005 Match Legitimate Name or Location
SI-3 Malicious Code Protection Protects T1036.005 Match Legitimate Name or Location
SI-4 System Monitoring Protects T1036.005 Match Legitimate Name or Location
SI-7 Software, Firmware, and Information Integrity Protects T1036.005 Match Legitimate Name or Location
azure_sentinel Azure Sentinel technique_scores T1036.005 Match Legitimate Name or Location
adaptive_application_controls Adaptive Application Controls technique_scores T1036.005 Match Legitimate Name or Location
azure_defender_for_app_service Azure Defender for App Service technique_scores T1036.005 Match Legitimate Name or Location