Masquerading: Match Legitimate Resource Name or Location (T1036.005)
Tactic: Stealth · Platforms: Containers, ESXi, Linux, macOS, Windows
The interactive view maps 1 detection strategy, 3 mitigations, 61 threat groups, 140 software entries, 15 campaigns to this technique, alongside D3FEND countermeasures and data-component coverage.
Sub-technique of Masquerading (T1036).
Overview
Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation.
This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: `svchost.exe`). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.