Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename <code>rundll32.exe</code>). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1036.003 | Rename System Utilities |
| AC-3 | Access Enforcement | Protects | T1036.003 | Rename System Utilities |
| AC-6 | Least Privilege | Protects | T1036.003 | Rename System Utilities |
| CA-7 | Continuous Monitoring | Protects | T1036.003 | Rename System Utilities |
| CM-2 | Baseline Configuration | Protects | T1036.003 | Rename System Utilities |
| CM-6 | Configuration Settings | Protects | T1036.003 | Rename System Utilities |
| SI-3 | Malicious Code Protection | Protects | T1036.003 | Rename System Utilities |
| SI-4 | System Monitoring | Protects | T1036.003 | Rename System Utilities |
| action.malware.variety.Disable controls | Disable or interfere with security controls | related-to | T1036.003 | Masquerading: Rename System Utilities |
| action.malware.variety.Rootkit | Rootkit (maintain local privileges and stealth) | related-to | T1036.003 | Masquerading: Rename System Utilities |