Home/ MITRE Matrix/ Defense Evasion/ T1036

T1036Masquerading

T1036 — Masquerading is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 13 detection use cases covering it and 2 threat-intel articles citing it.

Defense Evasion

View on the matrix → Filter Detection Library MITRE official spec ↗

13Use cases

2Articles

12Sub-techniques

1Tactic

Sub-techniques (12)

T1036.009 · Break Process Trees T1036.012 · Browser Fingerprint T1036.007 · Double File Extension T1036.001 · Invalid Code Signature T1036.010 · Masquerade Account Name T1036.008 · Masquerade File Type T1036.004 · Masquerade Task or Service T1036.005 · Match Legitimate Resource Name or Location T1036.011 · Overwrite Process Arguments T1036.003 · Rename Legitimate Utilities T1036.002 · Right-to-Left Override T1036.006 · Space after Filename

Use cases covering this technique (13)

Cisco NVM - Non-Network Binary Making Network Connection ESCU actions · hunting P Executables Or Script Creation In Suspicious Path ESCU actions · hunting P Executables Or Script Creation In Temp Path ESCU actions · hunting P Suspicious writes to windows Recycle Bin ESCU actions · alerting P Windows Bluetooth Service Installed From Uncommon Location ESCU actions · hunting P Windows Debugger Tool Execution ESCU actions · hunting P Windows Masquerading Msdtc Process ESCU actions · alerting P Windows NetSupport RMM DLL Loaded By Uncommon Process ESCU actions · hunting P Windows SoftEther VPN Masquerading as Legitimate Binary ESCU actions · alerting P Windows Suspicious QEMU Execution ESCU actions · alerting P Windows TinyCC Shellcode Execution ESCU actions · alerting P Suspicious writes to System Volume Information ESCU actions · hunting P [LLM] Scavenger Stealer sandbox-evasion marker file %TEMP%\SCVNGR_VM created Bespoke install · alerting DSΣPDDCS

Articles citing this technique (2)

crit OceanLotus: From external espionage to domestic targeting art-54

crit Maintainers of ESLint Prettier Plugin Attacked via npm Supply Chain Malware art-837