T1036Techniquedefense-evasionagent-callable

T1036Masquerading

Platforms: Linux · macOS · Windows · Containers

ATT&CK version: 14.1

What it is

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site) Masquerading may also include the use of [Proxy](https://attack.mitre.org/techniques/T1090) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections.

ATT&CK tactics· 1

Defense Evasion

References

  1. https://attack.mitre.org/techniques/T1036
  2. https://twitter.com/ItsReallyNick/status/1055321652777619457
  3. https://www.elastic.co/blog/how-hunt-masquerade-ball
  4. https://lolbas-project.github.io/
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.