T1036 Masquerading Mappings

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.(Citation: LOLBAS Main Site)



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1036 Masquerading
AC-3 Access Enforcement Protects T1036 Masquerading
AC-6 Least Privilege Protects T1036 Masquerading
CA-7 Continuous Monitoring Protects T1036 Masquerading
CM-2 Baseline Configuration Protects T1036 Masquerading
CM-6 Configuration Settings Protects T1036 Masquerading
CM-7 Least Functionality Protects T1036 Masquerading
IA-9 Service Identification and Authentication Protects T1036 Masquerading
SI-10 Information Input Validation Protects T1036 Masquerading
SI-3 Malicious Code Protection Protects T1036 Masquerading
SI-4 System Monitoring Protects T1036 Masquerading
SI-7 Software, Firmware, and Information Integrity Protects T1036 Masquerading
azure_sentinel Azure Sentinel technique_scores T1036 Masquerading
adaptive_application_controls Adaptive Application Controls technique_scores T1036 Masquerading
azure_defender_for_app_service Azure Defender for App Service technique_scores T1036 Masquerading

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1036.001 Invalid Code Signature 5
T1036.004 Masquerade Task or Service 1
T1036.005 Match Legitimate Name or Location 15
T1036.003 Rename System Utilities 8
T1036.006 Space after Filename 1