Description
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.(Citation: LOLBAS Main Site)
Platforms
Sub-Techniques (12)
Invalid Code Signature
T1036.002Right-to-Left Override
T1036.003Rename Legitimate Utilities
T1036.004Masquerade Task or Service
T1036.005Match Legitimate Resource Name or Location
T1036.006Space after Filename
T1036.007Double File Extension
T1036.008Masquerade File Type
T1036.009Break Process Trees
T1036.010Masquerade Account Name
T1036.011Overwrite Process Arguments
T1036.012Browser Fingerprint
Mitigations (8)
AuditM1047
Audit user accounts to ensure that each one has a defined purpose.
User Account ManagementM1018
Consider defining and enforcing a naming convention for user accounts to more easily spot generic account names that do not fit the typical schema.
User TrainingM1017
Train users not to open email attachments or click unknown links (URLs). Such training fosters more secure habits within your organization and will limit many of the risks.
Code SigningM1045
Require signed binaries.
Behavior Prevention on EndpointM1040
Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of potentially malicious files (such as those with mismatching file signatures).
Restrict File and Directory PermissionsM1022
Use file system access controls to protect folders such as C:\\Windows\\System32.
Antivirus/AntimalwareM1049
Anti-virus can be used to automatically quarantine suspicious files.
Execution PreventionM1038
Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed.
Threat Groups (20)
| ID | Group | Context |
|---|---|---|
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used [esentutl](https://attack.mitre.org/software/S0404) to change file extensions to their true... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) has disguised a Cobalt Strike beacon as a Flash Installer.(Citation: Cybereason Cobalt Kitty 2017) |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has delivered [BeaverTail](https://attack.mitre.org/software/S1246) malware masquerading... |
| G0060 | BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has masked executables with document file icons including Word and Adobe PDF.(Citation: Trend M... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used .doc file extensions to mask malicious executables.(Citation: Check Point APT34 April 2021) |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) has renamed the legitimate Sysinternals tool procdump to alternative names such as <code>dump64.ex... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) masqueraded malicious installers as Windows update packages to evade defense and entice users t... |
| G0133 | Nomadic Octopus | [Nomadic Octopus](https://attack.mitre.org/groups/G0133) attempted to make [Octopus](https://attack.mitre.org/software/S0340) appear as a Telegram Me... |
| G1030 | Agrius | [Agrius](https://attack.mitre.org/groups/G1030) used the Plink tool for tunneling and connections to remote machines, renaming it <code>systems.exe</c... |
| G1007 | Aoqin Dragon | [Aoqin Dragon](https://attack.mitre.org/groups/G1007) has used fake icons including antivirus and external drives to disguise malicious payloads.(Cita... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has disguised their scripts with docker-related file names.(Citation: Cisco Talos Intelligence Group) |
| G0140 | LazyScripter | [LazyScripter](https://attack.mitre.org/groups/G0140) has used several different security software icons to disguise executables.(Citation: MalwareByt... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has renamed the WinRAR utility to avoid detection.(Citation: Cybersecurity Advisory GRU Brute Force Cam... |
| G0128 | ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has spoofed legitimate applications in phishing lures and changed file extensions to conceal insta... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has masqueraded staged data by using the Windows [certutil](https://attack.mitre.org/software/S0160) ut... |
| G0112 | Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has used icons mimicking MS Office files to mask malicious executables.(Citation: objective-see win... |
| G1046 | Storm-1811 | [Storm-1811](https://attack.mitre.org/groups/G1046) has prompted users to download and execute batch scripts that masquerade as legitimate update file... |
| G1035 | Winter Vivern | [Winter Vivern](https://attack.mitre.org/groups/G1035) created specially-crafted documents mimicking legitimate government or similar documents during... |
| G0127 | TA551 | [TA551](https://attack.mitre.org/groups/G0127) has masked malware DLLs as dat and jpg files.(Citation: Unit 42 TA551 Jan 2021) |
| G0068 | PLATINUM | [PLATINUM](https://attack.mitre.org/groups/G0068) has renamed rar.exe to avoid detection.(Citation: Twitter ItsReallyNick Platinum Masquerade) |
Associated Software (33)
| ID | Name | Type | Context |
|---|---|---|---|
| S0453 | Pony | Malware | [Pony](https://attack.mitre.org/software/S0453) has used the Adobe Reader icon for the downloaded file to look more trustworthy.(Citation: Malwarebyte... |
| S0565 | Raindrop | Malware | [Raindrop](https://attack.mitre.org/software/S0565) was built to include a modified version of 7-Zip source code (including associated export names) a... |
| S0622 | AppleSeed | Malware | [AppleSeed](https://attack.mitre.org/software/S0622) can disguise JavaScript files as PDFs.(Citation: Malwarebytes Kimsuky June 2021) |
| S1018 | Saint Bot | Malware | [Saint Bot](https://attack.mitre.org/software/S1018) has renamed malicious binaries as `wallpaper.mp4` and `slideshow.mp4` to avoid detection.(Citatio... |
| S0658 | XCSSET | Malware | [XCSSET](https://attack.mitre.org/software/S0658) installs malicious application bundles that mimic native macOS apps, such as Safari, by using the le... |
| S1066 | DarkTortilla | Malware | [DarkTortilla](https://attack.mitre.org/software/S1066)'s payload has been renamed `PowerShellInfo.exe`.(Citation: Secureworks DarkTortilla Aug 2022) |
| S1240 | RedLine Stealer | Malware | [RedLine Stealer](https://attack.mitre.org/software/S1240) malware has masqueraded as legitimate software such as "PDF Converter Software" which has b... |
| S9010 | GlassWorm | Malware | [GlassWorm](https://attack.mitre.org/software/S9010) has masqueraded as legitimate VSCode extensions.(Citation: Aikido GlassWorm October 2025)(Citatio... |
| S0661 | FoggyWeb | Malware | [FoggyWeb](https://attack.mitre.org/software/S0661) can masquerade the output of C2 commands as a fake, but legitimately formatted WebP file.(Citation... |
| S0696 | Flagpro | Malware | [Flagpro](https://attack.mitre.org/software/S0696) can download malicious files with a .tmp extension and append them with .exe prior to execution.(Ci... |
| S1046 | PowGoop | Malware | [PowGoop](https://attack.mitre.org/software/S1046) has disguised a PowerShell script as a .dat file (goopdate.dat).(Citation: DHS CISA AA22-055A Muddy... |
| S1015 | Milan | Malware | [Milan](https://attack.mitre.org/software/S1015) has used an executable named `companycatalogue` to appear benign.(Citation: ClearSky Siamesekitten Au... |
| S1183 | StrelaStealer | Malware | [StrelaStealer](https://attack.mitre.org/software/S1183) PE executable payloads have used uncommon but legitimate extensions such as `.com` instead of... |
| S0466 | WindTail | Malware | [WindTail](https://attack.mitre.org/software/S0466) has used icons mimicking MS Office files to mask payloads.(Citation: objective-see windtail1 dec 2... |
| S0635 | BoomBox | Malware | [BoomBox](https://attack.mitre.org/software/S0635) has the ability to mask malicious data strings as PDF files.(Citation: MSTIC Nobelium Toolset May 2... |
| S1164 | UPSTYLE | Malware | [UPSTYLE](https://attack.mitre.org/software/S1164) has masqueraded filenames using examples such as `update.py`.(Citation: Volexity UPSTYLE 2024) |
| S0458 | Ramsay | Malware | [Ramsay](https://attack.mitre.org/software/S0458) has masqueraded as a JPG image file.(Citation: Eset Ramsay May 2020) |
| S0266 | TrickBot | Malware | The [TrickBot](https://attack.mitre.org/software/S0266) downloader has used an icon to appear as a Microsoft Word document.(Citation: Cyberreason Anch... |
| S0368 | NotPetya | Malware | [NotPetya](https://attack.mitre.org/software/S0368) drops [PsExec](https://attack.mitre.org/software/S0029) with the filename dllhost.dat.(Citation: T... |
| S0637 | NativeZone | Malware | [NativeZone](https://attack.mitre.org/software/S0637) has, upon execution, displayed a message box that appears to be related to a Ukrainian electroni... |
References
Frequently Asked Questions
What is T1036 (Masquerading)?
T1036 is a MITRE ATT&CK technique named 'Masquerading'. It belongs to the Stealth tactic(s). Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, l...
How can T1036 be detected?
Detection of T1036 (Masquerading) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1036?
There are 8 documented mitigations for T1036. Key mitigations include: Audit, User Account Management, User Training, Code Signing, Behavior Prevention on Endpoint.
Which threat groups use T1036?
Known threat groups using T1036 include: menuPass, APT32, Contagious Interview, BRONZE BUTLER, OilRig, Ember Bear, Sandworm Team, Nomadic Octopus.