T1036.005SubTechniquedefense-evasionagent-callable

T1036.005Match Legitimate Name or Location

Sub-technique of T1036

Platforms: Linux · macOS · Windows · Containers

ATT&CK version: 14.1

What it is

Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous. Adversaries may also use the same icon of the file they are trying to mimic.

ATT&CK tactics· 1

Defense Evasion

References

  1. https://attack.mitre.org/techniques/T1036/005
  2. https://twitter.com/ItsReallyNick/status/1055321652777619457
  3. https://docs.docker.com/engine/reference/commandline/images/
  4. https://www.elastic.co/blog/how-hunt-masquerade-ball
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.