Description
Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for legitimate utilities adversaries are capable of abusing, including both built-in binaries and tools such as PSExec, AutoHotKey, and IronPython.(Citation: LOLBAS Main Site)(Citation: Huntress Python Malware 2025)(Citation: The DFIR Report AutoHotKey 2023)(Citation: Splunk Detect Renamed PSExec) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe).(Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths.(Citation: F-Secure CozyDuke)
Platforms
Mitigations (1)
Restrict File and Directory PermissionsM1022
Use file system access controls to protect folders such as C:\Windows\System32.
Threat Groups (6)
| ID | Group | Context |
|---|---|---|
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has renamed [certutil](https://attack.mitre.org/software/S0160) and moved it to a different location... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has renamed system utilities such as <code>wscript.exe</code> and <code>mshta.exe</code>.(Citat... |
| G1034 | Daggerfly | [Daggerfly](https://attack.mitre.org/groups/G1034) used a renamed version of rundll32.exe, such as "dbengin.exe" located in the `ProgramData\Microsoft... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) has moved and renamed pubprn.vbs to a .txt file to avoid detection.(Citation: Twitter ItsReallyNick APT... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has renamed system utilities, such as `rundll32.exe` and `mshta.exe`, to avoid detection.(Citation: 1 -... |
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used a renamed cmd.exe file to evade detection.(Citation: Cybereason Soft Cell June 2019) |
Associated Software (5)
| ID | Name | Type | Context |
|---|---|---|---|
| S9014 | PHASEJAM | Malware | [PHASEJAM](https://attack.mitre.org/software/S9014) has renamed the file `/home/bin/remotedebug` to `remotedebug.bak`, allowing the threats actors to ... |
| S1183 | StrelaStealer | Malware | [StrelaStealer](https://attack.mitre.org/software/S1183) has used a renamed, legitimate `msinfo32.exe` executable to sideload the [StrelaStealer](http... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) executes a Windows Batch script during installation that creases a randomly-named directory in the... |
| S0046 | CozyCar | Malware | The [CozyCar](https://attack.mitre.org/software/S0046) dropper has masqueraded a copy of the infected system's rundll32.exe executable that was moved ... |
| S1020 | Kevin | Malware | [Kevin](https://attack.mitre.org/software/S1020) has renamed an image of `cmd.exe` with a random name followed by a `.tmpl` extension.(Citation: Kaspe... |
References
- Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.
- F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
- LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.
- Matthew Brennan. (2024, July 5). Snakes on a Domain: An Analysis of a Python Malware Loader. Retrieved April 3, 2025.
- Splunk. (2025, February 24). Detection: Detect Renamed PSExec. Retrieved April 3, 2025.
- The DFIR Report. (2023, February 6). Collect, Exfiltrate, Sleep, Repeat. Retrieved April 3, 2025.
Frequently Asked Questions
What is T1036.003 (Rename Legitimate Utilities)?
T1036.003 is a MITRE ATT&CK technique named 'Rename Legitimate Utilities'. It belongs to the Stealth tactic(s). Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for legitim...
How can T1036.003 be detected?
Detection of T1036.003 (Rename Legitimate Utilities) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1036.003?
There are 1 documented mitigations for T1036.003. Key mitigations include: Restrict File and Directory Permissions.
Which threat groups use T1036.003?
Known threat groups using T1036.003 include: menuPass, Lazarus Group, Daggerfly, APT32, APT38, GALLIUM.