T1036
Masquerading
Description
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.
This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.
Sub-techniques
T1036.001 — Invalid Code Signature
T1036.002 — Right-to-Left Override
T1036.003 — Rename Legitimate Utilities
T1036.004 — Masquerade Task or Service
T1036.005 — Match Legitimate Resource Name or Location
T1036.006 — Space after Filename
T1036.007 — Double File Extension
T1036.008 — Masquerade File Type
T1036.009 — Break Process Trees
T1036.010 — Masquerade Account Name
T1036.011 — Overwrite Process Arguments
T1036.012 — Browser Fingerprint