T1036.003SubTechniquedefense-evasionagent-callable

T1036.003Rename System Utilities

Sub-technique of T1036

Platforms: Linux · macOS · Windows

ATT&CK version: 14.1

What it is

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename <code>rundll32.exe</code>). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)

ATT&CK tactics· 1

Defense Evasion

References

  1. https://attack.mitre.org/techniques/T1036/003
  2. https://twitter.com/ItsReallyNick/status/1055321652777619457
  3. https://www.elastic.co/blog/how-hunt-masquerade-ball
  4. https://www.f-secure.com/documents/996508/1030745/CozyDuke
  5. https://lolbas-project.github.io/
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.