Masquerading: Rename Legitimate Utilities (T1036.003)
Tactic: Stealth · Platforms: Linux, macOS, Windows
The interactive view maps 1 detection strategy, 1 mitigation, 6 threat groups, 5 software entries to this technique, alongside D3FEND countermeasures and data-component coverage.
Sub-technique of Masquerading (T1036).
Overview
Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for legitimate utilities adversaries are capable of abusing, including both built-in binaries and tools such as PSExec, AutoHotKey, and IronPython. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths.