Description
Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation.
This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023)
Platforms
Mitigations (3)
Restrict File and Directory PermissionsM1022
Use file system access controls to protect folders such as C:\Windows\System32.
Execution PreventionM1038
Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed.
Code SigningM1045
Require signed binaries and images.
Threat Groups (61)
| ID | Group | Context |
|---|---|---|
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has replaced .dockerd and .dockerenv with their own scripts and cryptocurrency mining software.(Citat... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used legitimate process names to hide malware including <code>svchosst</code>.(Citation: ... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has used legitimate looking filenames for compressed copies of the ntds.dit database and used na... |
| G0060 | BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has given malware the same name as an existing file on the file share server to cause users to ... |
| G1018 | TA2541 | [TA2541](https://attack.mitre.org/groups/G1018) has used file names to mimic legitimate Windows files or system functionality.(Citation: Proofpoint TA... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) attempted to masquerade their files as popular anti-virus software.(Citation: FireEye APT41 Aug 2019)(C... |
| G1044 | APT42 | [APT42](https://attack.mitre.org/groups/G1044) has masqueraded the VINETHORN payload as a VPN application.(Citation: Mandiant APT42-charms) |
| G1046 | Storm-1811 | [Storm-1811](https://attack.mitre.org/groups/G1046) has disguised [Cobalt Strike](https://attack.mitre.org/software/S0154) installers as a malicious D... |
| G0119 | Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.(Citati... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has attempted to run Darkside ransomware with the filename sleep.exe.(Citation: CrowdStrike Carbon Spide... |
| G1020 | Mustard Tempest | [Mustard Tempest](https://attack.mitre.org/groups/G1020) has used the filename `AutoUpdater.js` to mimic legitimate update files and has also used the... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has disguised malicious executables and used filenames and Registry key names associated with Wind... |
| G0090 | WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has used security service provider naming conventions such as ESET and Kasperky ("Kaspersky Update Agen... |
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) installed its payload in the startup programs folder as "Baidu Software Update." The group also add... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has masqueraded malicious payloads to resemble legitimate applications.(Citation: DOJ FBI Hand... |
| G0134 | Transparent Tribe | [Transparent Tribe](https://attack.mitre.org/groups/G0134) can mimic legitimate Windows directories by using the same icons and names.(Citation: Kaspe... |
| G0018 | admin@338 | [admin@338](https://attack.mitre.org/groups/G0018) actors used the following command to rename one of their tools to a benign file name: <code>ren "%t... |
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) used the command `move [file path] c:\windows\system32\spool\prtprocs\x64\spool.dll` to move and ... |
| G0135 | BackdoorDiplomacy | [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has dropped implants in folders named for legitimate software.(Citation: ESET BackdoorDiplo... |
| G1024 | Akira | [Akira](https://attack.mitre.org/groups/G1024) has used legitimate names and locations for files to evade defenses.(Citation: Cisco Akira Ransomware O... |
Associated Software (140)
| ID | Name | Type | Context |
|---|---|---|---|
| S0083 | Misdat | Malware | [Misdat](https://attack.mitre.org/software/S0083) saves itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distrib... |
| S0629 | RainyDay | Malware | [RainyDay](https://attack.mitre.org/software/S0629) has used names to mimic legitimate software including "vmtoolsd.exe" to spoof Vmtools.(Citation: B... |
| S0459 | MechaFlounder | Malware | [MechaFlounder](https://attack.mitre.org/software/S0459) has been downloaded as a file named lsass.exe, which matches the legitimate Windows file.(Cit... |
| S1050 | PcShare | Tool | [PcShare](https://attack.mitre.org/software/S1050) has been named `wuauclt.exe` to appear as the legitimate Windows Update AutoUpdate Client.(Citation... |
| S1239 | TONESHELL | Malware | [TONESHELL](https://attack.mitre.org/software/S1239) has renamed malicious files to mimic legitimate file names and file extensions.(Citation: 2022 No... |
| S0533 | SLOTHFULMEDIA | Malware | [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) has mimicked the names of known executables, such as mediaplayer.exe.(Citation: CISA MAR SLOT... |
| S0081 | Elise | Malware | If installing itself as a service fails, [Elise](https://attack.mitre.org/software/S0081) instead writes itself as a file named svchost.exe saved in %... |
| S0072 | OwaAuth | Malware | [OwaAuth](https://attack.mitre.org/software/S0072) uses the filename owaauth.dll, which is a legitimate file that normally resides in <code>%ProgramFi... |
| S0482 | Bundlore | Malware | [Bundlore](https://attack.mitre.org/software/S0482) has disguised a malicious .app file as a Flash Player update.(Citation: MacKeeper Bundlore Apr 201... |
| S0085 | S-Type | Malware | [S-Type](https://attack.mitre.org/software/S0085) may save itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Dist... |
| S1014 | DanBot | Malware | [DanBot](https://attack.mitre.org/software/S1014) files have been named `UltraVNC.exe` and `WINVNC.exe` to appear as legitimate VNC tools.(Citation: C... |
| S0687 | Cyclops Blink | Malware | [Cyclops Blink](https://attack.mitre.org/software/S0687) can rename its running process to <code>[kworker:0/1]</code> to masquerade as a Linux kernel ... |
| S0668 | TinyTurla | Malware | [TinyTurla](https://attack.mitre.org/software/S0668) has been deployed as `w64time.dll` to appear legitimate.(Citation: Talos TinyTurla September 2021... |
| S1203 | J-magic | Malware | [J-magic](https://attack.mitre.org/software/S1203) can rename itself as “[nfsiod 0]” to masquerade as the local Network File System (NFS) asynchronous... |
| S0484 | Carberp | Malware | [Carberp](https://attack.mitre.org/software/S0484) has masqueraded as Windows system file names, as well as "chkntfs.exe" and "syscron.exe".(Citation:... |
| S1090 | NightClub | Malware | [NightClub](https://attack.mitre.org/software/S1090) has chosen file names to appear legitimate including EsetUpdate-0117583943.exe for its dropper.(C... |
| S1022 | IceApple | Malware | [IceApple](https://attack.mitre.org/software/S1022) .NET assemblies have used `App_Web_` in their file names to appear legitimate.(Citation: CrowdStri... |
| S9015 | BRICKSTORM | Malware | [BRICKSTORM](https://attack.mitre.org/software/S9015) has appeared to resemble legitimate processes to include the vCenter process `vami-http`.(Citati... |
| S0171 | Felismus | Malware | [Felismus](https://attack.mitre.org/software/S0171) has masqueraded as legitimate Adobe Content Management System files.(Citation: ATT Felismus) |
| S0496 | REvil | Malware | [REvil](https://attack.mitre.org/software/S0496) can mimic the names of known executables.(Citation: Picus Sodinokibi January 2020) |
References
Frequently Asked Questions
What is T1036.005 (Match Legitimate Resource Name or Location)?
T1036.005 is a MITRE ATT&CK technique named 'Match Legitimate Resource Name or Location'. It belongs to the Stealth tactic(s). Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation...
How can T1036.005 be detected?
Detection of T1036.005 (Match Legitimate Resource Name or Location) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1036.005?
There are 3 documented mitigations for T1036.005. Key mitigations include: Restrict File and Directory Permissions, Execution Prevention, Code Signing.
Which threat groups use T1036.005?
Known threat groups using T1036.005 include: TeamTNT, Gamaredon Group, Volt Typhoon, BRONZE BUTLER, TA2541, APT41, APT42, Storm-1811.