T1036 Masquerading Mappings

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.(Citation: LOLBAS Main Site)



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1036 Masquerading
AC-3 Access Enforcement Protects T1036 Masquerading
AC-6 Least Privilege Protects T1036 Masquerading
CA-7 Continuous Monitoring Protects T1036 Masquerading
CM-2 Baseline Configuration Protects T1036 Masquerading
CM-6 Configuration Settings Protects T1036 Masquerading
CM-7 Least Functionality Protects T1036 Masquerading
IA-9 Service Identification and Authentication Protects T1036 Masquerading
SI-10 Information Input Validation Protects T1036 Masquerading
SI-3 Malicious Code Protection Protects T1036 Masquerading
SI-4 System Monitoring Protects T1036 Masquerading
SI-7 Software, Firmware, and Information Integrity Protects T1036 Masquerading
CVE-2019-1831 Cisco Email Security Appliance (ESA) primary_impact T1036 Masquerading
CVE-2019-3788 UAA Release (OSS) secondary_impact T1036 Masquerading
CVE-2018-11067 Avamar secondary_impact T1036 Masquerading
CVE-2019-3778 Spring Security OAuth secondary_impact T1036 Masquerading
CVE-2020-5250 PrestaShop primary_impact T1036 Masquerading
CVE-2020-5270 PrestaShop secondary_impact T1036 Masquerading
CVE-2018-17934 NUUO CMS secondary_impact T1036 Masquerading
CVE-2018-5451 Philips Alice 6 System primary_impact T1036 Masquerading
CVE-2020-16198 Philips Clinical Collaboration Platform primary_impact T1036 Masquerading
CVE-2020-1456 Microsoft SharePoint Enterprise Server secondary_impact T1036 Masquerading
CVE-2018-8607 Microsoft Dynamics 365 secondary_impact T1036 Masquerading
CVE-2019-1031 Microsoft SharePoint Foundation secondary_impact T1036 Masquerading
CVE-2018-0560 Hatena Bookmark App for iOS uncategorized T1036 Masquerading
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036 Masquerading
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1036 Masquerading

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1036.001 Invalid Code Signature 6
T1036.004 Masquerade Task or Service 1
T1036.005 Match Legitimate Name or Location 14
T1036.003 Rename System Utilities 10
T1036.002 Right-to-Left Override 3
T1036.006 Space after Filename 1