ID | Name |
---|---|
T1036.001 | Invalid Code Signature |
T1036.002 | Right-to-Left Override |
T1036.003 | Rename Legitimate Utilities |
T1036.004 | Masquerade Task or Service |
T1036.005 | Match Legitimate Resource Name or Location |
T1036.006 | Space after Filename |
T1036.007 | Double File Extension |
T1036.008 | Masquerade File Type |
T1036.009 | Break Process Trees |
T1036.010 | Masquerade Account Name |
T1036.011 | Overwrite Process Arguments |
Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation.
This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe
). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.[1]
ID | Name | Description |
---|---|---|
C0025 | 2016 Ukraine Electric Power Attack |
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.[2] |
G0018 | admin@338 |
admin@338 actors used the following command to rename one of their tools to a benign file name: |
G1024 | Akira |
Akira has used legitimate names and locations for files to evade defenses.[4] |
S1074 | ANDROMEDA |
ANDROMEDA has been installed to |
S0622 | AppleSeed |
AppleSeed has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity.[6] |
G0006 | APT1 |
The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware.[7][8] |
G0007 | APT28 |
APT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.[9] |
G0016 | APT29 |
APT29 has renamed malicious DLLs with legitimate names to appear benign; they have also created an Azure AD certificate with a Common Name that matched the display name of the compromised service principal.[10][11] |
G0050 | APT32 |
APT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe. [12][13] |
G0087 | APT39 |
APT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.[14][15] |
G0096 | APT41 |
APT41 attempted to masquerade their files as popular anti-virus software.[16][17] |
G1044 | APT42 |
APT42 has masqueraded the VINETHORN payload as a VPN application.[18] |
G1023 | APT5 |
APT5 has named exfiltration archives to mimic Windows Updates at times using filenames with a |
G0143 | Aquatic Panda |
Aquatic Panda renamed or moved malicious binaries to legitimate locations to evade defenses and blend into victim environments.[20] |
S0475 | BackConfig |
BackConfig has hidden malicious payloads in |
G0135 | BackdoorDiplomacy |
BackdoorDiplomacy has dropped implants in folders named for legitimate software.[22] |
S0606 | Bad Rabbit |
Bad Rabbit has masqueraded as a Flash Player installer through the executable file |
S0128 | BADNEWS |
BADNEWS attempts to hide its payloads using legitimate filenames.[25] |
S0534 | Bazar |
The Bazar loader has named malicious shortcuts "adobe" and mimicked communications software.[26][27][28] |
S0268 | Bisonal |
Bisonal has renamed malicious code to |
S1070 | Black Basta |
The Black Basta dropper has mimicked an application for creating USB bootable drivers.[30] |
S0520 | BLINDINGCAN |
BLINDINGCAN has attempted to hide its payload by using legitimate file names such as "iconcache.db".[31] |
G0108 | Blue Mockingbird |
Blue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file.[32] |
G0060 | BRONZE BUTLER |
BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.[33] |
S1063 | Brute Ratel C4 |
Brute Ratel C4 has used a payload file named OneDrive.update to appear benign.[34] |
S1039 | Bumblebee |
Bumblebee has named component DLLs "RapportGP.dll" to match those used by the security company Trusteer.[35] |
S0482 | Bundlore |
Bundlore has disguised a malicious .app file as a Flash Player update.[36] |
C0017 | C0017 |
During C0017, APT41 used file names beginning with USERS, SYSUSER, and SYSLOG for DEADEYE, and changed KEYPLUG file extensions from .vmp to .upx likely to avoid hunting detections.[37] |
C0018 | C0018 |
For C0018, the threat actors renamed a Sliver payload to |
C0032 | C0032 |
During the C0032 campaign, TEMP.Veles renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.[39] |
S0274 | Calisto |
Calisto's installation file is an unsigned DMG image under the guise of Intego’s security solution for mac.[40] |
G0008 | Carbanak |
Carbanak has named malware "svchost.exe," which is the name of the Windows shared service host program.[41] |
S0484 | Carberp |
Carberp has masqueraded as Windows system file names, as well as "chkntfs.exe" and "syscron.exe".[42][43] |
S0631 | Chaes |
Chaes has used an unsigned, crafted DLL module named |
S0144 | ChChes |
ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).[45] |
G0114 | Chimera |
Chimera has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe, RecordedTV.ms, teredo.tmp, update.exe, and msadcs1.exe.[46] |
S1041 | Chinoxy |
Chinoxy has used the name |
S0625 | Cuba |
Cuba has been disguised as legitimate 360 Total Security Antivirus and OpenVPN programs.[48] |
S1153 | Cuckoo Stealer |
Cuckoo Stealer has copied and renamed itself to DumpMediaSpotifyMusicConverter.[49][50] |
S0687 | Cyclops Blink |
Cyclops Blink can rename its running process to |
S1014 | DanBot |
DanBot files have been named |
S0334 | DarkComet |
DarkComet has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as a legitimate file.[53] |
G0012 | Darkhotel |
Darkhotel has used malware that is disguised as a Secure Shell (SSH) tool.[54] |
S0187 | Daserf |
Daserf uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.[55] |
S0600 | Doki | |
S0694 | DRATzarus |
DRATzarus has been named |
S0567 | Dtrack |
One of Dtrack can hide in replicas of legitimate programs like OllyDbg, 7-Zip, and FileZilla.[58] |
S1158 | DUSTPAN |
DUSTPAN is often disguised as a legitimate Windows binary such as |
G1006 | Earth Lusca |
Earth Lusca used the command |
S0605 | EKANS |
EKANS has been disguised as |
S0081 | Elise |
If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.[62] |
G1003 | Ember Bear |
Ember Bear has renamed tools to match legitimate utilities, such as renaming GOST tunneling instances to |
S0171 | Felismus |
Felismus has masqueraded as legitimate Adobe Content Management System files.[64] |
G0137 | Ferocious Kitten |
Ferocious Kitten has named malicious files |
G1016 | FIN13 |
FIN13 has masqueraded WAR files to look like legitimate packages such as, wsexample.war, wsexamples.com, examples.war, and exampl3s.war.[66] |
G0046 | FIN7 |
FIN7 has attempted to run Darkside ransomware with the filename sleep.exe.[67] |
S0182 | FinFisher |
FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.[68][69] |
S0661 | FoggyWeb |
FoggyWeb can be disguised as a Visual Studio file such as |
G0117 | Fox Kitten |
Fox Kitten has named binaries and configuration files svhost and dllhost respectively to appear legitimate.[71] |
S0410 | Fysbis |
Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier.[72] |
G0047 | Gamaredon Group |
Gamaredon Group has used legitimate process names to hide malware including |
S0666 | Gelsemium |
Gelsemium has named malicious binaries |
S1197 | GoBear |
GoBear is installed through droppers masquerading as legitimate, signed software installers.[75] |
S0493 | GoldenSpy |
GoldenSpy's setup file installs initial executables under the folder |
S0588 | GoldMax |
GoldMax has used filenames that matched the system name, and appeared as a scheduled task impersonating systems management software within the corresponding ProgramData subfolder.[77][78] |
S0477 | Goopy |
Goopy has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe.[12] |
S0531 | Grandoreiro |
Grandoreiro has named malicious browser extensions and update files to appear legitimate.[79][80] |
S0690 | Green Lambert |
Green Lambert has been disguised as a Growl help file.[81][82] |
S0697 | HermeticWiper |
HermeticWiper has used the name |
S0698 | HermeticWizard |
HermeticWizard has been named |
C0038 | HomeLand Justice |
During HomeLand Justice, threat actors renamed ROADSWEEP to GoXML.exe and ZeroCleare to cl.exe.[84][85] |
S0070 | HTTPBrowser |
HTTPBrowser's installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.[86] |
S1022 | IceApple |
IceApple .NET assemblies have used |
S0483 | IcedID |
IcedID has modified legitimate .dll files to include malicious code.[88] |
G1032 | INC Ransom |
INC Ransom has named a PsExec executable winupd to mimic a legitimate Windows update file.[89][90] |
G0119 | Indrik Spider |
Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.[91] |
S0259 | InnaputRAT |
InnaputRAT variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe.[92] |
S0260 | InvisiMole |
InvisiMole has disguised its droppers as legitimate software or documents, matching their original names and locations, and saved its files as mpr.dll in the Windows folder.[93][94] |
S0015 | Ixeshe |
Ixeshe has used registry values and file names associated with Adobe software, such as AcroRd32.exe.[95] |
S1203 | J-magic |
J-magic can rename itself as "[nfsiod 0]" to masquerade as the local Network File System (NFS) asynchronous I/O server.[96] |
C0050 | J-magic Campaign |
During the J-magic Campaign, threat actors used the name "JunoscriptService" to masquerade malware as the Junos automation scripting service.[96] |
G0004 | Ke3chang |
Ke3chang has dropped their malware into legitimate installed software paths including: |
S0526 | KGH_SPY | |
G0094 | Kimsuky |
Kimsuky has renamed malware to legitimate names such as |
S0669 | KOCTOPUS |
KOCTOPUS has been disguised as legitimate software programs associated with the travel and airline industries.[100] |
S0356 | KONNI |
KONNI has created a shortcut called "Anti virus service.lnk" in an apparent attempt to masquerade as a legitimate file.[101] |
S1160 | Latrodectus |
Latrodectus has been packed to appear as a component to Bitdefender’s kernel-mode driver, TRUFOS.SYS.[102] |
G0032 |